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WHO'S WHO ON 

WHO'S BUYING 

IRAN'S CYBER 

THEM BOOKS? 

WARFARE SCENE? 

The most comprehensive 
analysis of Iran's cyber 
warfare scene ever 
performed 

WHERE DO THEY 

GO TO SCHOOL? 

In-depth analysis of Iran's 
academic incubators of 
the next generation of 
cyber warriors 

An-depth 

geopolitically relevant 
analysis of Iran's 
cyber warfare 
doctrine 

HOW DO THEY 

OWN AND 

COMPROMISE? 

Complimentary copies 
of hacking tools. E- 
zines. academic 
papers. SNA (Social 

Network Analysis) of 

Iran's Hacking Scene 

ANALYSIS BY DANCHO DANCHEV - REPORT PRICE - $500 



Assessing The Computer Network Operation (CNO) 
Capabilities of the Islamic Republic of Iran - Report 
( 2015 - 07-29 14 : 45 ) 

Dear blog readers, I would like to let you know, of my latest, 
publicly released report, on the topic of "[l]Assessing The 
Computer Network Operation (CNO) Capabilities of 
the Islamic Republic of Iran ", a comprehensive, 45 pages, 





assessment, of Iran's cyber warfare scene, featuring 
exclusive, never-published before, assessments of the 
country's cyber warfare doctrine, analysis of the country's 
academic incubators of the next generation of cyber warriors, 
featuring, an exclusive, social network analysis (SNA), of 
Iran's hacking scene. 

The report, answers the following questions: 

• Who's who on Iran's Cyber Warfare Scene - the most 
comprehensive analysis of Iran's cyber warfare scene, ever 
performed 
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• Where do they go to school? - in-depth analysis of Iran's 
academic incubators of the next generation of cyber warriors 

• Who's buying them books? - in-depth geopolitically 
relevant analysis of Iran's cyber warfare doctrine 

• How do they own and compromise? - complimentary copies 
of hacking tools, E-zines, academic papers, SNA (Social 
Network Analysis) of Iran's Hacking Scene 

An excerpt from the Executive Summary: 

11 Today's growing cyber warfare arms race, prompts for 
systematic, structured, and multidisciplinary enriched 
processes to be utilized, in order to anticipate/neutralize and 
properly attribute an adversary's strategic, tactical and 
operational Computer Network Operation (CNO) capabilities, 
so that an adequate response can be formulated and 
executed on the basis of a factual research answering some 
of the most relevant questions in the 'fifth domain' of 
warfare - who are our adversaries, what are they up to, when 
are they going to launch an attack against us, how exactly 



are they going to launch it, and what are they going to target 
first? 

This qualitative analysis (45 pages) seeks to assess the 
Computer Network Operations (CNO) of Islamic Republic of 
Iran, through the prism of the adversary's understanding of 
Tactics, Techniques and Procedures (TTP), a structured and 
geopolitically relevant, enriched OSINT assessment of their 
operations, consisting of interpreted hacking literature, 
videos, and, custom made hacking tools, extensive SNA 
(Social Network Analysis) of the country's Hacking 
Ecosystem, real-life personalization of the key individuals 
behind the groups (personally identifiable photos, personal 
emails, phone numbers, Blogs, Web Sites, Social Networking 
accounts etc.). It's purpose is to ultimately empower 
decision/policy makers, as well as intelligence analysts, with 
recommendations for countering Islamic Republic of Iran's 
growing understanding and application of CNO tactics and 
strategies. 11 

Request, your, complimentary, copy, of, the, report, by, 
approaching, me, dancho.danchev@hush.com Enjoy! 

1. https://dl.packetstormsecuritv.net/ pa pers/ a eneral/lran.rar 
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127.0.0.1 bobbear.co.uk 
127.0.0.1 reed.co.uk 
127.0.0.1 seek.com.au 
127.0.0.1 scam.com 
127.0.0.1 scambusters.org 
127.0.0.1 www.guardian.co.uk 



127.0.0.1 aic.gov.au 
127.0.0.1 google.com.au 
127.0.0.1 www.reed.co.uk 



Historical OSINT: OPSEC-Aware Sprott Asset 
Management Money Mule Recruiters Recruit, Serve 
Crimeware, And Malvertisements (2015-08-27 16:02) 

Cybercriminals continue multitasking, on their way to take 
advantage of well proven fraudulent revenue sources, 
further, positioning themselves as opportunistic market 
participants, generating fraudulent revenues, 
[^standardizing and innovating within the context of 
[2]OPSEC (Operational Security) while enjoying a decent 
market share within the [3]cybercrime ecosystem. 

In this post, I'll profile a [4]money mule recruitment 
campaign, featuring a custom fake certificate, successfully 
blocking access to [5]bobbear.co.uk as well as my personal 
blog, further exposing [6]a malicious infrastructure, that 
I'll profile in this post. 

Let's assess the campaign, and expose the malicious 
infrastructure behind it. 

The fake Sprott Asset Management sites, entices end users 
into installing the, the fake, malicious certificate, as a 
prerequisite, to being working with them, with hosting 
courtesy of ALFAHOSTNET (AS50793), a well known 








cybercrime-friendly malicious hosting provider, known, to 
have been involved in a variety of malvertising campaigns, 
including related malicious campaigns, that I'll expose in this 
post. 

Domain name reconnaissance for the malicious 
hosting provider: alfa-host.net - (AS50793) - Email: 

alitalaghat@gmail.com; Name: 

Mohmmad AN Talaghat (webalfa.net - 

78.47.156.245 also registered with the same email) 

Name Server: NS1.ALFA-H0ST.NET 

Name Server: NS2.ALFA-H0ST.NET 

Alfa-host LLP - (AS50793) 

person: Romanov Artem Alekseevich 

phone: +75.332211183 

address: Kazakhstan, Karagandinskaya obi, Karaganda, ul. 
Erubaeva 57, 14 

Upstream provider reconnaissance: 
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crackinglab.org 


info.sprottcareers.com 


info.sprottcorporate.com 

info.sprottweb.com 

mail.crackinglab.org 


c 


A 

88.212.221.46 
^Tir 


NET 88.212.192.0/18 AS 


mail.sarga.ru 


sarga.ru 


allianceassetonline.com 

ns2.allianceassetonline.com *<s 

a >_—--_ 

A ( 92.241.162.58 NET 92.241.160.0/19 

ns2.sprottcorporate.com 

ns2.uptusconsulting.net 

LLC TC "Interzvyazok" 

Hvoiki 15/15 
04080 Kiev 
UKRAINE 

phone: +380 44 238 6333 
fax: +380 44 238 6333 
e-mail: dz (at) intersv (dot) com 


AS39134 


AS41947 





The same upstream provider (Interzvyazok; intersv.com) is 
also known to have offered services to [7]yet another 
bulletproof hosting provider in 2011. 

Domain name reconnaissance: 

sprottcareers.com - 193.105.207.105; 88.212.221.46 

sprottcorporate.com - 193.105.207.105; 88.212.221.46 

sprottcorporate.com - 92.241.162.58 

sprottweb.com - 193.105.207.105; 88.212.221.46 
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Domain name reconnaissance: 

allianceassetonline.com - 92.241.162.58 

allianceassetweb.com - 88.212.221.41 

uptusconsulting.net - Email: terrizziboris@googlemail.com 
- 92.241.162.58 

Known to have responded to the same IP 
(193.105.207.105) are also the following malicious 
domains:aud itthere.ru maccrack.ru 

nissanmoto.ru 

megatuz.ru 

basicasco.ru 

megatuz.ru 


foreks999.ru 



monitod.ru 


peeeeee.ru 

fra8888.ru 

inkognittto.ru 

lavandas.ru 

Related 

MD5s 

known 

to 

have 

phoned 

back 

to 

the 

same 

IP 

(193.105.207.105) :MD5: 

a9442b894c61dl3acbac6c59adc67774 

MD5:7fd31163fe7d29c61767437b2bl234cd 


MD5:d90de03caa80506307fc05a0667246ef 



MD5:0924142 6aac7a4aael 2 743788ce4cff4 

MD5:cb74fb88f36b667e26f41671de8el841 

MD5:8efd31e0f3c251a3c7ef63b377edbf9c 

MD5:a750359c72de3fc38d2af2670fdla343 

MD5:f0cbef01f5bdlc075274533fl64bb06f 

MD5:398b06590179be83306b59cea9da79e5 

Related malicious domains known to have been 
active within (AS50793), ALFAHOSTNET: 34real.ru 
3pulenepro.net 

3weselchak.net 

analizes.ru 

appppal.ru 

arbuz777.ru 

arsenalik.ru 

assolo.ru 

astramani.ru 

basicasco.ru 

bits4ever.ru 

bonokur.ru 

boska7.ru 


chudachok9.ru 



cosavnos.ru 


dermidom44.ru 

drtyyyt.ru 

dvestekkk.ru 

ferdinandi.ru 
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ferzipersoviy.ru 

foreks999.ru 

fra8888.ru 

globus-trio.ru 

google-stats.ru 

horonili.ru 

inkognittto.ru 

karlito777.ru 

lavandas.ru 

ma456.ru 

medriop56.ru 

megatuz.ru 

mnobabla.ru 


monitod.ru 



offshoreglobal.ru 

okrison.com 

opitee.ru 

otrijek.ru 

peeeeee.ru 

pohmaroz44.ru 

postmetoday.ru 

reklamen6.ru 

reklamen7.ru 

rrrekti.ru 

sekretfive.ru 

stolimonov.ru 

sworo.ru 

trio4.ru 

update4ever.ru 

victorry.ru 

vivarino77.ru 

vopret.ru 

wifipoints.ru 



Known to have responded to the same IP 
(88.212.221.46) in the past, are also the following 
malicious domains: 

liramdelivery.com - Email: carlyle.jeffrey@gmail.com 
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info 

secretconsumeril.com 
Name servers: 

ns2.uptusconsulting.net - 92.241.162.58 
ns2.sprottcorporate.com - 92.241.162.58 
ns2.sprottweb.com - 92.241.162.58 
allianceassetweb.com - Email: 

martins.allianceam@gmail.com Surprise, surprise. We've also 
got the [8]following fraudulent [9]domains, responding 

[10]to the same [lljname server's IP (92.241.162.58; 
nsl.oildns.net, ns2.oildns.net) back in 2009. 
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What's particularly interesting, is the fact, that in 
2010, we've also got (92.241.162.58) hosting the 
following malicious MD5s: 


MD5: 8ee5435004ad523f4cbe754b3ecdb86e 








MD5: 38f5e6a59716d651915a895c0955e3e6 


We've also got nsl.oildns.net responding to 
(93.174.92.220), with the actual name server, known 
to have hosted, the following malicious MD5s: 

MD5: 5ae4b6235e7adlbfle3cl73b907defl7 

Sample detection rate for the malicious certificate: 

[12] MD5: 

ec39239accb0edb5fb923c25ffc81818 - detected by 23 out 
of 42 antivirus scanners as 
Gen:Trojan.Heur.SFC.juZ@aC7UB8eib 

Sample detection rate for the HOSTS file modifying 
sample: 

[13] MD5: 

969001fccld8358415911db90135fa84 - detected by 14 out 
of 42 antivirus scanners as Trojan.Generic.4284920 

Once executed, the sample successfully modifies, the 
HOSTS file on the affected hosts, to block access to: 

127.0.0.1 google.com 

127.0.0.1 google.co.uk 
127.0.0.1 www.google.com 
127.0.0.1 www.google.co.uk 
127.0.0.1 suckerswanted. blogspot. com 
127.0.0.1 i deceive, blogspot. com 



127.0.0.1 www.bobbear.co.uk 
127.0.0.1 bobbear.co.uk 
127.0.0.1 reed.co.uk 
127.0.0.1 seek.com.au 
127.0.0.1 scam.com 
127.0.0.1 scambusters. org 
127.0.0.1 www.guardian.co.uk 
127.0.0.1 ddanchev.blogspot.com 
127.0.0.1 aic.gov.au 
127.0.0.1 google.com.au 
127.0.0.1 www.reed.co.uk 
209.171.44.117 www.sprott.com 
209.171.44.117 sprott.com 
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Registration 


Step 3 from 4 


Bank information - 

Bank Name" 

Bank Address" 

Account Type “ 

Account Name" 

Account Number" 

BSB/Roubng" 

Age Of Account 

For BPAY payments please provide your credit 
card number linked to your bank account if you 
have it. 

Credit Card Number QOCXX XXXX XXXX XXXX) 


ChecMng 


Reset Form 


Register 


Sprott Asset Management 
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Registration 


Step 2 from 4 


United States 

Probationary Period Policy: 



I disagree ][ I agree ] 


Sprott Assel 


Sample confirmation email courtesy of Sprott Asset 
Management: WORKING PROCESS 













During all working process you will process incoming and 
outgoing transfers from our clients. Main duties are: send 
payments, receive payments, making records of billing, 
making simple management duties, checking e-mail daily 

You have to provide us your cell phone for urgent calls from 
your manager, if you don't have a cell phone you will need to 
buy it. You must have basic computer skills to operate main 
process of job duties. 

SALARY 

During the trial period (1 month), you will be paid 4,600 $ 
per month while working on average 3hours per day, 
Monday-Friday, plus 8 % commission from every payment 
received and processed. The salary will be sent in the form of 
wire transfer directly to your account or you may take it from 
received funds directly. After the trial period your base pay 
salary will go up to 6,950 $ per month, plus 10 % 
commission. 

FEES & TRANSFERING PROCEDURE 

AH fees are covered by the company. The fees for 
transferring are simply deducted from the payments 
received. 

Customer will not contact you during initial stage of the trial 
period. After three weeks of the trial period you will begin to 
have contact with the customers via email in regards to 
collection of the payments. For the first three weeks you will 
simply receive all of the transferring details, and payments, 
along with step by step guidance from your supervisor. You 
will be forwarding the received payments through 
transferring agents such as Western Union, Money Gram, any 
P2P agents or by wire transferring. 



WESTERN UNION & MONEYGRAM 


1. As soon as You receive money transfers from our clients 
you are supposed to cash it in your bank. 

2. You will need to pick up the cash physically at the bank, as 
well as a transfer to MoneyGram. 

3. Please use MoneyGram, located not in your bank, because 
this providing of anonymosty of our clients. 

4. The cashed amounts of money should be transferred to 
our clients via MoneyGram/Western Union. 
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according to our transfer instructions except ail the fees. The 
fees are taken from the amount cashed. 

5. Not use online service, only physical presence in an office 
of bank and Western Union. 

6. Just after you have transferred money to our clients, 
please contact your personal manager via e-mail 
(confirmation of the transfer) 

and let him (her) know all the details of your Western Union 
transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND 
A REFERENCE NUMBER, 

PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, 

THERE MUST BE NO MISTAKES, because our client will not be 
able to withdraw the funds. 

7. AH procedures have to take 1-2 hours, because we have to 
provide and verify the safety of our clients' money (we have 
to inform them about all our actions). 



Your manager will support you in any step of application 
process, if you have any questions you may ask it anytime. 

Go through related research regarding money mule 
recruitment: 

• [ 14]Profiling a Novel, High Profit Margins Oriented, 
Legitimate Companies Brand-Jacking Money Mule 
Recruitment Scheme 

• [15]Spotted: cybercriminals working on new Western Union 
based 'money mule management' script 

• [16]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

• [17]Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

• [18]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

• [19]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

• [20]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

• [21]Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

• [22]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

• [23]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 



• [24]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

• [25]Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

• [26]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [27]Money Mule Recruiters on Yahool's Web Hosting 

• [28]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

• [29]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [30]Keeping Reshipping Mule Recruiters on a Short Leash 

• [31]Keeping Money Mule Recruiters on a Short Leash 

• [32]Standardizing the Money Mule Recruitment Process 
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• [33]lnside a Money Laundering Group's Spamming 
Operations 

• [34]Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

• [35]Money Mules Syndicate Actively Recruiting Since 2002 

1. http://ddanchev.blo as pot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 


2. http://www.webroot.com/blo a /ta a/o psec/ 








3. http://www.webroot.com/blo a /2013/12/27/cvbercrime- 
trends-2013-vear-review/ 

4. http://ddanchev.blo as pot.com/2013/Q8/orofilin a -novel- 
hiah- profit-mar a ins.html 

5. http://ddanchev.blo as pot.com/2008/ll/ddos-attack- 
aa ainst-bobbearcouk.html 

6. http://ddanchev.blo as pot.com/2010/Q4/dns-infrastructure- 
of-monev-mule.html 

7. htto://www.abuse.ch/?o=3130 

8. http://www.bobbear.co.uk/liram-deliverv-service.html 

9. http://www.bobbear.co.uk/avicenna.html 

10. http://www.bobbear.co.uk/asset-mana a ement- 
comoanv.html 

11. http://www.bobbear.co.uk/alliance-asset- 
mana a ement.html 

12 . 

https://www.virustotal.com/file/laf2de0503eeb8213284f03e 

651765fb6003233d6e4ce0eab40676ba9e66123e/analvsis/ 

13. 

https://www.virustotal.com/file/12f0c720c629a29e5e2aca48 

6370c549d 7 70572 59fldd38aca50c078aaf7ed 57/anal vsis/ 

14. http://ddanchev.blo as pot.com/2013/08/profilin a -novel- 
hiah- orofit-mar a ins.html 

15. http://ddanchev.blo as pot.com/2013/08/orofilin a -novel- 
hiah- orofit-mar a ins.html 


















































16. http://ddanchev.blo as pot.com/2011/08/keeoin a -mone v- 
mule-recruiters-on-short.html 


17. http://ddanchev.blo as pot.com/2011/07/keeoin a -mone v- 
mule-recruiters-on-short.html 


18. http://ddanchev.blo as pot.com/2011/05/keepin a -mone v- 
mule-recruiters-on-short 30.html 


19. http://ddanchev.blo as pot.com/2011/05/keepin a -mone v- 
mule-recruiters-on-short 25.html 


20. http://ddanchev.blo as pot.com/2011/05/keeoin a -mone v- 
mule-recruiters-on-short.html 


21. http://ddanchev.blo as pot.com/2011/03/keeoin a -mone v- 
mule-recruiters-on-short.html 


22. http://ddanchev.blo as pot.com/2011/01/keeoin a -mone v- 
mule-recruiters-on-short.html 


23. http://ddanchev.blo as pot.com/2010/Q4/dns- 
infrastructure-of-monev-mule.html 

24. http://ddanchev.blo as pot.com/2010/04/keeoin a -mone v- 
mule-recruiters-on-short.html 


25. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruitment-campai a n-servin a .html 

26. http://ddanchev.blo as pot.com/2010/Q3/keepin a -mone v- 
mule-recruiters-on-short.html 


27. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruiters-on-vahoos-web.html 


28. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-rnule.html 


























































29. http://ddanchev.blo as pot.com/2010/02/keeoin a -mone v- 
mule-recruiters-on-short.html 


30. http://ddanchev.blo as pot.com/2009/12/keeoin a- 
reshi p pin a -mule-recruiters-on.html 

31. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


32. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

33. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-soammin a .html 

34. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 

35. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 
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Historical OSINT - How TROYAK-AS Utillized BGP-over- 
VPN to Serve the Avalance Botnet (2015-08-28 16:15) 

Historical OSINT is a crucial part of an intelligence analyst's 
mindset, further positioning a growing or an emerging trend, 
as a critical long term early warning system indicator, 
highlighting the importance, of current and emerging trends. 






































In this post, I'll discuss Troy a k-AS, a well-known cybercrime- 
friendly hosting provider, that represented, the growing 
factor, for the highest percentage of malicious and fraudulent 
activity online, throughout 2010, its upstream provider 
NetAssist LLC, and most importantly, a malicious innovation 
applied by cybercriminals, at the time, namely the 
introduction of malicious netblocks and ISPs, within the RIPE 
registry, relying on [l]OPSEC (Operational Security) and 
basic evasive practices. 

According to RSA, the [2]Ukrainian based ISP NetAssist 

LLC is listed as a legitimate ISP, one whose services haven't 
been abused in any particular cybercrime-friendly way. 

This analysis, will not only prove, otherwise, namely, that 

[3] NetAssist LLC's involvement in introducing a dozen of 

[4] cybercrime friendly networks - including [5]TROYAK- 

AS - has been taking place for purely commercial reasons, 
with the ISP charging thousands of euros for the process, but 
also, expose a malicious innovation applied on behalf of 

[6]opportunistic cybercriminals, at the time, namely, the 
introduction of innovative bulletproof hosting tactics, 
techniques and procedures. 

Domain name reconnaissance: 

troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 
(AS44310) - Email: staruy.rom@troyak.org; 
staruy.rom@inbox.ru smallshopkz.org - 195.78.123.1 
(AS12570) 
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The site is closed for redesign 



For support and connection, please call: (095)2734191, e-mail:supportfo ctlan.net. 



A$ ► AS8287 


► AS31366 


Name servers: 

ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA 
ns.bgpvpn.kz - 91.213.93.10 












ns.smallshopkz.org (195.78.123.1) is also known to have 
offered DNS services, to prombd.net (AS44107) PROMBUD- 
DETAL (AS50215 Troyak-as at the time responding to 
ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) 
VESTEH-NET 

91.200.164.1 
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Domain name reconnaissance: 


bgpvpn.kz 

Organization Using Domain Name 

Name .; My kola Tabakov 

Organization Name ; My kola Tabakov 

Street Address .; office 211, ul. Pushkina, dom 166 


City .; Astana 


State .; Astana 


Postal Code .; 010000 


4036 
8 ! 3 ? 


Country. 


: KZ 


























Administrative Contact/Agent 

NIC Handle .; CA537455-RT 

Name .; My kola Tabakov 

Phone Number. .; +7.7022065468 

Fax Number. .; +7.7022065468 

Email Address .; tabanet@mail. ru 

Nameserver in listed order: 

Primary server. .; ns.bgpvpn.kz 

Primary ip address .; 91 . 213 . 93.10 

Domain name reconnaissance: 
smallshopz. biz 

Domain Name:SMALLSHOPKZ.ORG 

Created 0n:30-0ct-2009 13:42:14 UTC 

Last Updated On:19-Mar-2010 14:39:19 UTC 

Expiration Date:30-0ct-2010 13:42:14 UTC 

Sponsoring Registrar.Directi Internet Solutions Pvt. Ltd. d/b/a 
PublicDomainRegistry.com (R27-LROR) Status:CLIENT 
TRANSFER PROHIBITED 

Registrant ID:DI 10606443 

Registrant Name:Vladimir Vladimirovich Stebluk 

Registrant Organization:N/A 
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Registrant Streetl:off. 306, Bulvar Mira, 16 
Registrant Street2: 

Registrant 5treet3: 

Registrant City.Karaganda 
Registrant State/Province:Qaraghandyobiysy 
Registrant Postal Code:100008 
Registrant Country:KZ 













Registrant Phone:+7.7012032605 
Registrant Phone Ext.: 

Registrant FAX: 

Registrant FAX Ext.: 

Registrant Email:v\adcrazy@smaUshopkz.org 

NetAssist LLC (netassist.ua) (AS29632) 
reconnaissance: 

inetnum: 62.205.128.0 - 62.205.159.255 

netname: UA-NETASSIST-20080201 

descr: NetAssist LLC 

country: UA 

org: ORG-NL64-RIPE 
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admin-c: MT6561-RIPE 
admin-c: AVI27-RIPE 
tech-c: MT6561-RIPE 
tech-c: APP18-RIPE 
status: ALLOCATED PA 
mnt-by: RIPE-NCC-HM-MNT 
mnt-lower: MEREZHA-MNT 











mnt-routes: MEREZHA-MNT 


mnt-domains: MEREZHA-MNT 
source: RIPE # Filtered 
organisation: ORG-NL64-RIPE 
org-name: NetAssist LLC 
org-type: LIR 
address: NetAssist LLC 
22 

Max Tulyev 

GEROEV STALINGRADA AVE APP 57 BUILD 54 

04213 Kiev 

UKRAINE 

phone: +380 44 5855265 
fax-no: +380 44 2721514 
e-mail: info@netassist.kiev.ua 
admin-c: AT4266-RIPE 
admin-c: KS3536-RIPE 
admin-c: MT6561-RIPE 
mnt-ref: RIPE-NCC-HM-MNT 


mnt-ref: MEREZHA-MNT 



mnt-by: RIPE-NCC-HM-MNT 
source: RIPE # Filtered 
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person: Max Tulyev 
address: off. 32, 12 Artema str., 











address: Kiev, Ukraine 


remarks: Office phones 

phone: +380 44 2398999 

phone: + 7 495 7256396 

phone: +1 347 3414023 

phone: +420 226020344 

remarks: GSM mobile phones, SMS supported 

phone: +7 916 6929474 

phone: +380 50 7775633 

remarks: Fax is in auto-answer mode 

fax-no: +380 44 2726209 

remarks: The phone below is for emergency only 
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remarks: You can also send SMS to this phone 

phone: +88216 583 00392 

remarks: 

remarks: Jabber ID mt656l@jabber.kiev.ua 
remarks: SIP 7002@195.214.211.129 
e-mail: maxtul@netassist.ua 
e-mail: president@ukraine.su 



nic-hdl: MT6561-RIPE 


mnt-by: MEREZHA-MNT 
source: RIPE # Filtered 
person: Alexander V Ivanov 
address: 14-28 Lazoreviy pr 
address: Moscow, Russia 
address: 129323 
phone: +7 095 7251401 
fax-no: +7 095 7251401 
e-mail: ivanov077@gmail.com 
nic-hdl: AVI27-RIPE 
mnt-by: MEREZHA-MNT 
source: RIPE # Filtered 
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person: Alexey P Panyushev 
address: 8-142, Panferova street 
address: Moscow, Russia 
address: 117261 
phone: +7 903 6101520 


fax-no: +7 903 6101520 













e-mail: panyushev@gmail.com 
nic-hdl: APP18-RIPE 
mnt-by: MEREZHA-MNT 
source: RIPE # Filtered 

Is NetAssist LLC, on purposely offering its services, for the 
purpose of orchestrating cybercrime-friendly campaigns, in a 
typical bulletproof cybercrime friendly fashion, or has it been 
abused, by an opportunistic cybercriminals, earning 
fraudulently obtained revenues in the process? Based on the 
analysis in this post, and the fact, that the company, 
continues offering IPv4 RIPE announcing services, I believe, 
that on the majority of occasions, the company 26 

has had its services abused, throughout 2010, leading to the 
rise of the Avalance bothet. 

I expect to continue observing such type of abuse, however, 
in a [7]cybercrime ecosystem, dominated, by the abuse of 
legitimate services, I believe that cybercriminals will 
continue efficiently bypassing defensive measures in place, 
through the abuse and compromise of legitimate 
infrastructure. 

This post has been reproduced from [8]Dancho 
Danchev's blog . 

1. http://www.webroot.com/blo a /ta a/O Dsec/ 

2. http://rsa.com/blo a /blo a _entrv.aspx7id = 1610 

3. https://www.abuse.ch/?p=2417 

4. http://ddanchev.blo as pot.com/2010/Q5/avalanche-botnet- 
and-trovak-as.html 














5. http://www.zdnet.com/article/trovak-as-the-cvbercrime- 
friendlv-isp-that- i ust-wont- a o-awa v/ 

6. http://ddanchev.blo as pot.com/2010/03/as5Q215-trovak- 
as-taken-off1ine-zeus-c.html 

7. http://www.webroot.com/blo a /2013/12/27/cvbercrime- 
trends-2013-vear-review/ 

8. http://ddanchev.blo as pot.com/ 
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30 

Cybercriminals Launch Malicious Malvertising 
Campaign, Thousands of Users Affected (2016-04-24 
21:17) We've recently intercepted, a currently ongoing 
malicious malvertising attack, affecting thousands of users 
globally, potentially exposing their PCs, to, a multitude of 
malicious software, compromising, the, integrity, 
confidentiality, and, availability, of, their, PCs. 

The campaign relies on the Angler Web malware exploitation 
kit, for, the, purpose of serving malicious software, on the, 
PCs, of, affected users exposing, their, PCs, to, a multitude, 




















of, malicious software, potentially leading, to, a compromise, 
of, their, PCs. Once, users, visit, a legitimate Web site, part, of 
the, campaign, their, PCs, automatically become, part, of the 
botnet, operated, by, the, cybercriminals, behind it, with, the, 
campaign, relying, on, the, use, of, the, exploitation, of, a 
well known, client-side, vulnerability. 

Cybercriminals, often, rely, on, the, use, of, compromised, 
accounting, data, obtained, through, active data mining, of, a 
botnet's infected population, for, the purpose, of, 
embedding, malicious, client-side exploits, on well known, 
and highly popular, Web sites, next, to, the, active, client- 
side, exploitation, of, known, vulnerabilities, found, on public, 
and well, known, Web sites. Yet, another highly popular 
attack vector, remains, the use, of compromised, advertiser 
network publisher's account, for, the, purpose, of taking 
advantage, of, the publisher's, already established, clean, 
network, reputation. 

In this post, we'll profile, the, malicious campaign, provide, 
actionable, intelligence, for, the, infrastructure, behind it, 
provide, malicious MD5s, as, well, as, discuss, in depth, the, 
tactics, techniques, and procedures, utilized, by, the, 
cybercriminals, behind it. 

Sample detection rate for the 

Trojan.Win32.Waldek.gip malware: MD5: 

f2b92d07bb35fl649b015a5acl0d6f05 

Once executed the sample phones back to: 

hxxp://datanet.cc/extra/status.html - 146.185.251.154 

Malicious URLs, used, in the, campaign: 

hxxp://gamergrad.top/track/k.track?wd=48 &fid = 2 - 
104.24.112.169 



hxxp://talk915.pw/track/k.track?wd=48 &fid = 2 - 
104.27.190.84 

Known to have responded to the same IP 
(146.185.251.154) are also the following malicious 
domains: hxxp://crenwat.cc 

hxxp://oldbog.cc 

hxxp://datanet.cc 

hxxp://glomwork.cc 

hxxp://speedport.cc 

hxxp://my hostel ub.ee 

hxxp://termi nreg.ee 

hxxp://cu rrentnow.ee 

hxxp://copyinv.cc 

hxxp://lableok.cc 

hxxp://agentad.cc 

hxxp://appclone.cc 

hxxp://tune4.cc 

hxxp://objects.cc 

Once executed, the, sample, phones, back, to the, 
following, C &C server: 31 


hxxp://188.138.70.19 



Known to have responded to the same IP 
(188.138.70.19) are also the following malicious 
domains: hxxp://alfatrade.cxaff.com 

hxxp://affil iates.alfatrade.com 

Known to have phoned back to the same malicious C 
&C server, are, also, the following malicious MD5s: 

MD5: aaa6559738f74bd7a2fflb025a287043 

MD5: b919a06e79318c0d50b8961b0e32eb0a 

MD5: a384337cad9335b34d877dd4c59c73ce 

MD5: e7b7b7664e89bel8bcf2b79ccll6731f 

MD5: d712ddbc9b4fb27d950be93clel44cce 

Related malicious MD5s known to have phoned back 
to the same C &C server: MD5: 
aaa6559738f74bd7a2fflb025a287043 

MD5: b919a06e79318c0d50b8961b0e32eb0a 

MD5: a2bd512e438801a2aal871a2ac28e5bd 

MD5: f01f9ded34cfe21098a2275563cf0d9d 

MD5: e7b7b7664e89bel8bcf2b79ccll6731f 

This post has been reproduced from [lJDancho 
Danchev's blog . 

1. http://ddanchev.blo as pot.com/ 
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Analyzing the Bill Gates Botnet - An Analysis (2016- 
04-24 22:47) We've, recently, intercepted, a high-profile, 
Linux-based, botnet-driven, type of, malicious, software, 
that's capable, of launching, a multitude of malicious 
attacks, on, compromised servers, potentially, exposing, the, 
integrity, confidentiality, and, availability, of, the 
compromised servers. Malicious attackers, often rely, on the 
use of compromised servers, for, the purpose, of, utilizing the 
access for malicious purposes, including, the capability, to 
launch malicious DDoS (Denial of Service Attack) attacks, 
and the ability, to spread additional malicious software, to 
potential users, including the capability to monetize access 
to the service, by, launching, DDoS for hire type of malicious 
and fraudulent services, including, the capability to launch 
high performance DDoS attacks. 

In this post, we'll, profile, and analyze, the Bill Gates botnet, 
provide, actionable intelligence, on, the infrastructure, 
behind it, and, discuss, in depth, the tactics, techniques, and 
procedures, of the cybercriminals, behind it. 

Malicious MD5s known to be part of the Bill Gates 
botnet: 

MD5: 5dl0bcbl5bedb4b94092c4c2e4d245b6 
MD5: Od79802eeae43459ef0f6f809ef74ecc 
MD5: 9a77fladl25cf34858be5e438b3f0247 
MD5: 9a77fladl25cf34858be5e438b3f0247 
MD5: a89c089b8d020034392536d66851b939 
MD5: a5b9270a317c9ef0beda992183717b33 


Known Bill Gates botnet C &C server: 



hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37 

Malicious C &C servers known to be part of the Bill 
Gates botnet: 202.103.178.76 

121.12.110.96 

112.90.252.76 

112.90.22.197 

112.90.252.79 

Known to have responded to the same malicious IP 
(122.224.50.37) are also the following malicious 
domains: hxxp://lfs99.com 

hxxp://chchong.com 

hxxp://uc43.net 

hxxp://59wgw.com 

hxxp://frade8c.com 

hxxp://96hb.com 

hxxp://cq670.com 

hxxp://776ka.com 

Malicious MD5s known to have phoned back to the 
same C &C server IP (122.224.50.37): MD5: 
6739ca4a835c7976089e2f00150f252b 

MD5: eb234cee4ff769f2b38129bcl64809d2 

MD5: dc893dl6316489dffa4e8d86040189b2 



MD5: 0clcac2a019aalcc2dcc0d3bl7fc4477 


MD5: b7765076af036583fc81a50bd0b2a663 

Known to have responded to the same malicious IP 
(122.224.34.42) are also the following malicious 
domains: hxxp://76.wawall.com 
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hxxp://903. wawall.com 
hxxp://904. wawall.com 
hxxp://905. wawall.com 
hxxp://906. wawall.com 
hxxp://907. wawall.com 
hxxp://9 lww.0574yu.com 
hxxp://9911sf.com 
hxxp://901.t772277.com 
hxxp://a isf.juxll4.com 
hxxp://5 20. wawall.com 
hxxp://a wooolsf.com 
hxxp://2 288game.com 
hxxp://588bc.com 
hxxp://488game.com 
hxxp://588bc.com 



Malicious MD5s known to have been downloaded 
from the same malicious C &C server IP 
(122.224.34.42): MD5: 
5dl0bcbl5bedb4b94092c4c2e4d245b6 

MD5: 9a77fladl25cf34858be5e438b3f0247 

Malicious MD5s known to have been phoned back to 
the same malicious C &C server IP(122.224.34.42): 

MD5: 815e453b6e268addf6a6763bfe013928 

Once executed the sample phones back to the 
following malicious C &C server IPs: 

hxxp://awooolsf.com/222.txt - 122.224.34.42 

hxxp://xxx.com/download/xx.exe - 67.23.112.226 

Known to have responded to the same malicious IP 
(67.23.112.226) are also the following malicious 
domains: hxxp://falconglobalimpex.com 

hxxp://deschatz-army.net 

hxxp://m.xxx.com 

hxxp://xxx.com 

hxxp://xxxsites.com 

hxxp://t.xxx.com 

hxxp://m.xxx.org 

hxxp://m.xxxsites.com 

hxxp://xxx.org 



Known to have been downloaded from the same 
malicious IP (67.23.112.226) are also the following 
malicious MD5s: 

MD5: b4b483eb0d25fa3a9ec589ebll467ab8 

Known to have phoned back to the same malicious C 
&C server (67.23.112.226) are also the following 
malicious MD5s: 

MD5: 53a7fc24cbl9463f8df3f4fe3ffd79b9 
MD5: 268b8bcacecl73eace3079db709b9c69 
MD5: 0faf6988dfeaa98241cl9fd834ecal94 
MD5: 87f8ffebl7a72fda7cf28745fa7a6be8 
MD5: c973f818a5f9326c412ac9c4dfaeb0bd 
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This post has been reproduced from [lJDancho 
Danchev's blog . 

1. http://ddanchev.blo as pQt.com/ 
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Malware Campaign Using Google Docs Intercepted, 
Thousands of Users Affected (2016-04-26 20:13) We've 
recently intercepted, a malicious campaign, utilizing, Google 
Docs, for, the purpose, of spreading, malicious software, 
potentially, exposing, the confidentiality, integrity, and 
availability, of the, targeted hosts. 

In this, post, we'll profile, the malicious campaign, expose, 
the malicious, infrastructure, behind, it, provide, MD5s, and, 




discuss, in depth, the, tactics, techniques, and procedures, 
of, the, cybercriminals, behind it. 

Sample malicious URL: 

hxxp://younglean.cba.pl/lean/ - 95.211.80.4 
Sample malicious URL hosting locations: 

hxxp://ecku.cba.pl/js/bin.exe 

hxxp://mondeodoslubu.cba.pl/js/bin.exe 

hxxp://piotrkochanski.cba.pl/js/bin.exe 

hxxp://szczuczynsp.cba.pl/122/091.exe 

Known to have responded to the same malicious 
(95.211.80.4) are also the following malicious 
domains: hxxp://barbedosgroup.cba.pl 

hxxp://brutalforce.pl 

hxxp://ch ristophar-hacker.pl 

hxxp://moto-przestrzen.pl 

hxxp://etu rva.yO.pl 

hxxp://lingirlie.com 

hxxp://ogladaj mecz.com. pi 

hxxp://oriflamekon kurs2H6.cO.pl 

hxxp://u meblowani.cba.pl 

hxxp://webadmi nvalidation.cba.pl 



hxxp://adamr.pl 
hxxp://alea.cba.pl 
hxxp://a rtbymachonis.cba.pl 
hxxp://beq wqgdu.cba.pl 
hxxp://bleachon I ine.pl 
hxxp://facebook-profile-natalia9320.j.pl 
hxxp://fl Irevl978.cba.pl 
hxxp://g otowesms.pl 
hxxp://kbvdfuh.cba.pl 
hxxp://mapl kal977.c0.pl 
hxxp://nag robkiartek.pl 
hxxp://nyzusboj pxnl.cba.pl 
hxxp://oki I hl973.cba.pl 
hxxp://pucusej.cba.pl 
hxxp://sajtom.pl 
hxxp://tarnowiec.net.pl 
hxxp://techtell.pl 
hxxp://testujemy pi.cba.pl 
hxxp://lawendowawyspa.cba.pl 
hxxp://you nglean.cba.pl 



hxxp://delegatu raszczecin.cba.pl 
hxxp://metzmoerex.cba.pl 
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hxxp://kmpk.cO.pl 
hxxp://500plus.c0.pl 
hxxp://erxhxrrb 1981.cba.pl 
hxxp://exztwsl.cba.pl 
hxxp://fafrvfa. cba.pl 
hxxp://fastandfu rios.cba.pl 
hxxp://fi I monline.cba.pl 
hxxp://fragcraft.pl 
hxxp://fryzjer.cba.pl 
hxxp://hged koml973.cba.pl 
hxxp://l uyfivl972.cba.pl 
hxxp://ol iviasekulska.com 
hxxp://opziwr-zamosc.pl 
hxxp://ostro.ga 
hxxp://rodzi na500plus.c0.pl 
hxxp://roknasilowni.tk 
hxxp://vfqqgrl971.cba.pl 



Sample malicious MD5s known to have phoned back 
to the same malicious IP (95.211.80.4): MD5: 
495f05d7ebcal022da2cddl700aeac39 

MD5: 68abd8a3a8cl8c59f638e50ab0c386a4 

MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e 

MD5: 64b5c6b20e2d758a008812df99a5958e 

MD5: a0869b751e4a0bf27685f2f8677f9c62 

Once executed the sample phones back to the 
following C &C servers: hxxp://smartoptionsinc.com - 
216.70.228.110 

hxxp://ppc.cba.pl - 95.211.80.4 

hxxp://apps.identrust.com - 192.35.177.64 

hxxp://cargol.cat - 217.149.7.213 

hxxp://bikeceuta.com - 91.142.215.77 

This post has been reproduced from [lJDancho 
Danchev's blog . 

1. http://ddanchev.blo as pot.com/ 
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Malicious Client-Side Exploits Serving Campaign 
Intercepted, Thousands of Users Affected 

(2016-04-26 20:39) 

We've recently intercepted, a currently, circulating, malicious 
campaign, utilizing, a variety, of compromised, Web sites, for, 




the purpose, of serving, malicious software, to socially 
engineered, users. 

In this post, we'll profile, the campaign, the infrastructure, 
behind, it, provide, actionable, intelligence, MD5s, and, 
discuss, in depth, the tactics, techniques, and procedures, of, 
the cybercrimnals, behind it. 

Sample malicious URL: 

hxxp://directbalancejs.com/module.so - 37.48.116.208; 
31.31.204.161 

hxxp://2-eco.ru 

hxxp://2401.ru 

hxxp://24xxx.site 

hxxp://3502050.ru 

hxxp://6553009.xyz 

hxxp://7032949.ru 

hxxp://academi ng.ru 

hxxp://academyfi nance.ru 

hxxp://acti velifelab.com 

hxxp://ad vokat-mikheev.ru 

hxxp://ad vokatstav.ru 

hxxp://a kvahim98.ru 

hxxp://al-minbar.ru 



hxxp://a 11 esmarket.com 

hxxp://alltrump.ru 

hxxp://altropasso.ru 

hxxp://ambertao.info 

hxxp://a mbertao.org 

hxxp://ancra.ru 

hxxp://andr-6-u pdate.ru 

hxxp://a ndroid-new.ru 

hxxp://a ndroidid-6-new.ru 

hxxp://a ngrymultik.ru 

hxxp://a nimaciyafoto.ru 

hxxp://a nimaciyaonline.ru 

hxxp://a nimaciyastiker.ru 

hxxp://a nimationline.ru 

hxxp://a nimehvost.ru 

hxxp://anyen.ru 

hxxp://any wifi.on line 

hxxp://apple-pro.moscow 

hxxp://a ppliancerepairmonster.com 

hxxp ://a ptech ka .fa rm 



hxxp://arbosfera.ru 
hxxp://archsalut.ru 
h xx p://a rstd.ru 
hxxp://asl anumarov.ru 
hxxp://atlanted.ru 
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hxxp://aurispc.ru 
hxxp ://avangard master.ru 
hxxp://aviacorp24.ru 
hxxp ://a wpashko.com 

Known to have phoned back to the same malicious C 
&C server (31.31.204.161) are also the following 
malicious MDSs: 

MD5: c3754018dab05b3b8aac5fe8100076ce 

Once executed the sample phones back to the 
following C &C server: hxxp://info-get.ru - 31.31.204.161 

Known to have phoned back to the same malicious C 
&C server (31.31.204.161) are also the following 
malicious MD5s: 

MD5: 4ff9bd7a045b0fe42a8f633428a59732 
MD5: 46bleaae5b53668a7ac958aecf4e57c3 


MD5: d643025c5d0a2a2940502f4bl5cal801 



MD5: 75dce2d84540153107024576bfce08fc 


MD5: a23235ed940a75f997cl27f59b09011d 

This post has been reproduced from [lJDancho 
Danchev's blog . 

1. http://ddanchev.blo as pot.com/ 
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Malicious Campaign Affects Hundreds of Web Sites, 
Thousands of Users Affected (2016-05-16 10:33) We've 
recently intercepted, a currently, circulating, malicious, 
campaign, affecting, hundreds, of Web sites, and exposing, 
users, to, a, multi-tude, of, malicious, software. 

In this post, we'll profile, the campaign, provide malicious 
MD5s, expose, the, infrastructure, behind, it, and, discuss, in- 
depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind it. 

Malicious URLs used in the campaign: 

hxxp://default7.com - 199.48.227.25 
hxxp://test246.com - 54.208.99.166 
hxxp://test0.com - 72.52.4.119 
hxxp://distinctfestive.com - 54.208.99.166 




hxxp://ableoccassion.com - 54.208.99.166 

Sample malware used in the campaign: 

MD5: 9854fl4ca653ee7c6bf6506d823f7371 

Once executed, a, sample, malware, phones, back, 
to, the, following, C &C server: 

hxxp://intva31.homelandcustom.info (52.6.18.250) 

Known to have phoned back to the same malicious C 
&C server IP (54.208.99.166), are, also, the, 
following, malicious, MD5s: 

MD5: fd368af200fd835687997ca2a4a0389b 

MD5: c0379cdal717dle05c938f8e06c04a46 

MD5: 60eef5bll6579d75b272a61e40716bc0 

MD5: 8481f23748358fbfd5c36cea53c90793 

MD5: 0953f8ec3f0001b3e5f3490203135def 

Once executed, a, sample, malware, phones, back, 
to, the, following, C &C servers: hxxp://ii55.net 
(69.172.201.153) 

hxxp://rwai.net (54.208.99.166) 

Known to have phoned back to the same malicious C 
&C server IP (69.172.201.153) are also the following 
malicious MD5s: 

MD5: 5979f69be8b6716c0832b6831c398914 


MD5: a27083ffl9bl87cbc64644bcl0d2afll 



MD5: b9306bb08ac502c7bcaf3d7e0cd9d846 


MD5: Cd34980dda700d07b93eef7910a2a8be 

MD5: b708860e7962bl0e26568c9b037765df 

Known to have phoned back to the same malicious C 
&C server IP (54.208.99.166) are also the following 
malicious MD5s: 

MD5: 9854fl4ca653ee7c6bf6506d823f7371 

MD5: 90a88230d5b657ced3b2d71162a33cff 

MD5: 70465233d93aa88868d7091454592a80 

MD5: f8e21525c6848f45e4ab77aee05f0a28 

Related malicious MD5s known to have phoned back 
to the same malicious C &C server (54.208.99.166): 

MD5: fd368af200fd835687997ca2a4a0389b 

41 

MD5: c0379cdal717dle05c938f8e06c04a46 

MD5: 60eef5bll6579d75b272a61e40716bc0 

MD5: 8481f23748358fbfd5c36cea53c90793 

MD5: 0953f8ec3f0001b3e5f3490203135def 

We'll continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 

42 


2.3 



August 

43 



Cybercriminals Offer Fake/Fraudulent Press 
Documents Accreditation On Demand (2016-08-16 
20:07) In a cybercrime ecosystem, dominated by fraudulent 
market propositions, and new market entrants occupying 
new market segments on a daily basis, cybercriminals are 
perfectly positioned, to continue offering, commoditized 
underground market goods, such as, for instance, fake 
documents, for the purpose of generating fraudulent 
revenue, while empowering fellow cybercriminas, with the 
necessary tools to further commit fraudulent activities. 

In this post, we'll, discuss a newly launched service, offering 
fake press accreditation documents, and discuss the overall 














relevance of the service, in the context of the underground 
marketplace's ongoing commoditization, basic market 
segmentation concepts, as well as newly applied concepts 
such as DIY (do-it-yourself) type of services, and basic OPSEC 
with QA (Quality Assurance) in mind. 
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The service is currently offering custom-made press 
accreditation documents for the Russian Federation, allowing 
potential cybercriminals the ability to access press-free 
zones, potentially commiting related fraudulent activities. 

The price varies between $62 and $130 depending on the 
number of fake documents requested, including the option to 
request anonymous delivery of the fake documents. 
























Thanks to a vibrant DIY (do-it-yourself) custom-based type of 
fake documents generating market segment, cybercriminals, 
have also successfully managed to efficiently streamline the 
process of generating these documents, applying, both, basic 
OPSEC (Operational Security) measures in place, to ensure 
that they're perfectly positioned to reach to their targeted 
audience, while preserving a decent degree of their 
operational procedures, as well as Q &A (Quality Assurance) 
processes, to further ensure the quality of their underground 
market proposition. 

We expect to continue observing a decent supply of 
segmented market propositions, targeting, both, novice and 
experienced cybercriminals, seeking to obtain fake 
documents, on their way to commit related fraudulent 
activities. 

Related posts: 

47 

[1] A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports 

[2] Newly Launched 'Scanned Fake 
Passports/IDs/Credit Cards/Utility Bills' Service 
Randomizes and Generates Unique Fakes On The Fly 

[3] Vendor of Scanned Fake IDs, Credit Cards and 
Utility Bills Targets the French Market Segment 

[4] Cybercriminals Offer High Quality Plastic U.S 
Driving Licenses/University ID Cards 

This post has been reproduced from [5]Dancho 
Danchev's blog. Follow him [6]on Twitter. 



1. http://ddanchev.blo as pot.com/2013/05/a-peek-inside- 
russian-under a round.html 


2. http://ddanchev.blo as oot.com/2013/07/newlv-launched- 
scanned-fake.html 

3. http://ddanchev.blo as pot.com/2013/08/vendor-of-scanned- 
fake-ids-credit-cards.html 

4. http://ddanchev.blo as pot.com/2013/08/cvbercriminals- 
offer-hi a h-aualitv.html 

5. http://ddanchev.blo as oot.com/ 

6. https://twitter.com/dancho danchev 
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Spam-friendly Image Randomization Tool Released on 
the Underground Marketplace (2016-08-17 13:34) 

Cybercriminals, continue applying basic QA (Quality 
Assurance) processes, to their fraudulent campaigns, on their 
way to achieve a posive ROI (Return on Investment) out of 
their fraudulent activities. 

In this post, we'll discuss a newly launched commercial tool, 
that's capable of generating unique images, for the purpose 
of tricking spam filters, in an attempt to trick end users into 
falling victim into the fraudulent campaign. 
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Priced at $25, the API-enabled tool is capable of converting a 
regular image, executed in a spam campaign, into a new one 
successfully bypassing spam filters, exposing end users to 




























fraudulent attempts, generating fraudulent revenue, for the 
cybercriminals behind the campaign. 

We expect to continue observing an increase in QA (Quality 
Assurance) driven underground market propositions, leading 
to a successful set of fraudulent propositions, dominating the 
underground marketplace. 
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Managed Social Engineering Based Code Signing 
Generating Certificate Service Spotted in the Wild 
(2016-08-17 14:23) 

Cybercriminals are masters of social engineering, potentially 
tricking, tens of thousands of users on a daily basis, into 
falling victims into fraudulent cybercrime-friendly 
campaigns, generating them, hundreds of thousands of 
fraudulent revenues, successfully, contributing to the growth 
of multiple underground market segments, within, the 
underground marketplace. 

In this post, we'll discuss a newly launched service, 
empowering, both, novice, and experienced cybercriminals, 
with the necessary tools and know how, to further commit, 




























fraudulent activities, in the form of socially engineered code 
signing certificates, obtained through the registration of 
bogus and non-existent companies. 

Priced at $1,000 per certificate, the service is also offering 
discounts on a volume basis, including custom contacts 
based customization files, including detailed info about the 
rogue company, used in the code signing process. Relying on 
basic 'visual social engineering' concepts, cybercriminals are 
perfectly positioned, to execute a successful campaign on a 
mass scale, or in a targeted nature, successfully targeting 
tens of thousands of users. 

We expect to continue observing relevant code signing as a 
service, type of cybercrime-friendly propositions, within the 
cybercrime ecosystem, with more market vendors, entering 
the market segment, further positioning themselves, as 
market leaders, through basic market segmentation, and 
efficient social engineering techniques. 
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Newly Launched Cybercrime Service Offers Access to 
POS Terminals on Demand (2016-08-17 14:32) 

Cybercriminals continue applying basic market segmentation 
concepts, to their underground market propositions, to 
further ensure, that, they're capable of targeting the right 
audience, potentially generating hundreds of thousands of 
fraudulently generating revenues in the process. 

From basic, malware as a service underground market 
propositions, offering access to country, city, ISP based type 
of malware-infected hosts, to cybercrime-friendly services, 
offering access to malware-infected hosts converted to 
anonymization proxies, to further target additional market 
segments, within the cybercrime ecosystem, cybercriminals 
continue to utilize basic market segmentation concepts, 
based on the targeted population. 

In this post, we'll discuss a newly launched managed service, 
offering access to POS (Point of Sale) terminals, further 
empowering, both, novice, and sophisticated cybercriminals, 








































































with the necessary access to commit related fraudulent 
activities. 
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The service is currently offering access to POS (Point of Sale) 
terminals, located, in the United States, Canada, Australia, 
United Kingdom, the Netherlands and Germany, priced 





























































between $30 and $50 for access to a POS (Point of Sale) 
terminal. 


Cybercriminals, continue relying on basic data mining 
concepts, while utilizing the overall target population, 
further, ensuring that their market-relevant propositions, 
while, continuing to generate fraudulent revenues, in, the, 
process. 

We expect to continue observing an increase in underground 
market propositions, utilizing basic market segmentation 
concepts, further positioning, both, novice, and experienced 
market leaders, as relevant and competitive market 
participants, potentially generating tens of thousands of 
fraudulently obtained assets in the process. 
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New Cybercrime-Friendly Service Offers Fake 
Documents and Bills on Demand (2016-08-28 15:33) 

The market segment, for, fake, documents, and, bills, 
continues, flourishing, thanks, to, a, vibrant, cybercrime, 
ecosystem, offering, access, to, a, variety, of commoditized, 
underground, market, items, further generating fraudulent 
revenue for the cybercriminals behind it. Thanks to the 
overall availability of DIY (do-it-yourself) type of malware 






















generating tools, and, the, overall prevalence, of money mule 
recruitment scams, allowing, cybercriminals, an easy access 
to basic risk-forwarding, tactics, cybercriminals, continue, 
generating, tens, of thousands, of fraudulent revenue in the 
process. 

In this, post, we'll discuss a newly launched managed 
cybercrime service offering access to fake documents, stolen 
credit cards, and, fake, bills, and, discuss, in-depth, the 
tactics, techniques, and procedures, of, the, cybercriminals 
behind it. 
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The service is currently offering fake documents for Australia, 
Belgium, Brazil, Canada, Denmark, Estonia, Finland, France, 
Germany, Greece, Italy, India, Netherlands, Norway, Latvia, 
Lithuania, Poland, Romania, Slovakia, Slovenia, Sweden, 
United Kingdom, USA, Russia, and fake bills for, Australia, 
Austria. Canada, Czech Republic, Estonia, France, Finland, 
Germany, Irland, Italy, United Kingdom, Latvia, Norway, 
Romania, Slovakia, Sweden, Switzerland, USA, Spain, Russia, 
France, Ukraine. 




We'll continue monitoring the market segment for fake 
documents, and, post, updates, as soon, as, new, 
developments, take place. 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. http://ddanchev.blo as pot.com/ 

2. https://twitter.com/dancho_danchev 
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Managed Hacked PCs as a Service Type of 
Cybercrime-friendly service Spotted in the Wild 
(2016-08-28 18:38) With the cybercrime ecosystem, 
persistently, supplying, new, malware, releases, 
cybercriminals continue occupying multiple market 
segments, within, the, cybercrime, ecosystem, generating, 
tens, of, thousands, of fraudulent revenue, in, the, process, 
potentially, empowering, new market entrants, with, the, 
necessary, tools, and, know-how, to, continue, launching, 
related, malicious, attacks, potentially, generating, tens, of, 
thousands, of fraudulent, revenue, in, the, process, while, 
targeting, users, internationally. 

In this, post, we'll profile a newly, launched, managed hacked 
PCs, as, a, service, type, of cybercrime-friendly, service, and, 
discuss, in, depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind it. 
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Next to the overall availability of malware infected hosts 
empowering novice cybercriminals with the necessary tools 
and know, to, conduct, related, malicious attacks, 
cybercriminals, often, rely, on basic, market segmentation, 
approaches, further, taking, advantage, of the, affected, 
users, to, launch, related, managed cybercrime-friendly, 
type, of, managed, services. 
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The service is currently offering access to malware-infected 
hosts, in, the United States, Italy, France, Spain, Brazil, 
Argentina, and Poland, further, empowering, novice, 
cybercriminals, with, the, necessary, tools, and, know-how, 
to, continue, launching, related, malicious attacks. 

58 

We'll continue monitoring, the, market, segment, for, hacked 
PCs, and, post, updates, as, soon, as, new developments, 
take, place. 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. http://ddanchev.blo as oot.com/ 

2. https://twitter.com/dancho danchev 
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Managed SWF Injection Cybercrime-friendly Service 
Fuels Growth Within the Malvertising Market 
Segment (2016-08-29 11:58) 

Cybercriminals, continue, launching, new, cybercrime- 
friendly, services, aiming, to, diversify, their, portfolio, of, 
fraudulent, services, while, earning, tens, of, thousands of 
fraudulent revenue in the process. Thanks, to, a vibrant, 
cybercrime ecosystem, and, the, overall, availability, of, DIY 
(do-it-yourself) type of, malicious, software, generating, tools, 
cybercriminals, continue, diversifying, their, portfolio, of, 









fraudulent, services, while, earning, tens, of, thousands, of, 
fraudulent, revenue, in, the, process. 

Largely, relying, on, a diversified, set, of, tactics, techniques, 
and, procedures, cybercriminals, often, rely, on, automated, 
and, systematic, compromise, of, vulnerable, Web sites, for, 
the, purpose, of, active, traffic, acquisition, tactics, to hijack, 
intercept, and, monetize, the, acquired, traffic, for, the, 
purpose, of, earning, fraudulent, revenue, in, the, process. 
Thanks, to, a, vibrant, cybercrime-friendly, ecosystem, 
cybercriminals, continue, actively, hijacking, intercepting, 
and, monetizing, the, acquired, traffic, for, the, purpose, of, 
earning, fraudulent, revenue, in, the, process. 

In, this, post, we'll discuss, a, newly, launched, managed SWF 
injecting, type, of, cybercrime-friendly, service 
(108.162.197.62), provide actionable, intelligence, on, the, 
infrastructure, behind, it, and, discuss, in-depth, the, tactics, 
techniques, and, procedures, of, the, cybercriminals, behind 
it. 

Malicious MD5s known to have been downloaded 
from the same C &C server IP (108.162.197.62): MD5: 
738ef8e826b5f9070f555dc8d5e3320f 

MD5: 8dddfldl786ff72adc60057305f4f2c9 

MD5: 0042ef6bl51d68824999ed27e320ab7b 

MD5: ea0f806840a8fl765994d2941d24al8a 

MD5: 9d0e32a4fld4fb348f70f235e9731363 

Related malicious MD5s known to have phoned back 
to the same C &C server IP (108.162.197.62): MD5: 
4el08296flld99e56be375dcab2e03d4 



MD5: 8f696a2995aa56be5a7fe6ac8639e94a 


MD5: 2aa4fedd2626f4a210dl3a356cf721al 

MD5: 822606bb2f5a86bd20e4dlll705c9e99 

MD5: 6267650eb343bclfb063233aaf398c9a 

The, service, is, currently, offering, basic, type, of, account, 
registration, process, priced, at $100, and, premium, type, of, 
account, registration, process, priced, at, $1,000. 

We'll continue, monitoring, the, market, segment, for, 
malvertising, type, of, managed, cybercrime-friendly, 
services, and, post, updates, as, soon, as, new, 
developments, take, place. 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

60 

1. http://ddanchev.blo as pot.com/ 

2. https://twitter.com/dancho danchev 
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New Service Offerring Fake Documents on Demand 
Spotted in the Wild (2016-12-21 14:08) In, a, 

cybercrime, ecosystem, dominated, by, multiple, 
underground, market, participants, and, hundreds, of, 





fraudulent, propositions, cybercriminals, continue, 
successfully, monetizing, access, to, malware-infected, hosts, 
for, the, purpose, of, earning, fraudulent, revenue, in, the, 
process, largely, relying, on, a, set, of, DIY (do-it-yourself), 
managed, cybercrime-friendly, services, successfully, 
monetizing, access, to, malware-infected, hosts, for, the, 
purpose, of, earning, fraudulent, revenue, in, the, process. 

We've recently, intercepted, a, newly, launched, managed, 
on, demand, underground, market, type, of, service, 
proposition, offering, access, to, fake, documents, and, IDs, 
successfully, empowering, novice, cybercriminals, with, the, 
necessary, tactics, techniques, and, procedures, for, the, 
purpose, of, commiting, fraudulent, activities, while, earning, 
fraudulent, revenue, in, the, process, successfully, 
monetizing, access, to, malware-infected, hosts, while, 
earning, fraudulent, revenue, in, the, process. 

In, this, post, we'll, profile, the, service, provide, actionable, 
intelligence, on, the, infrastructure, behind, it, and, discuss, 
in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 
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In, a, cybercrime, ecystem, populated, by, hundreds, of, 
fraudulent, propositions, cybercriminals, continue, actively, 
launching, managed, cybercrime-friendly, services, 
successfully, monetizing, access, to, malware-infected, hosts, 
while, earning, fraudulent, revenue, in, the, process. Largely, 
relying, on, a, diverse, set, of, tactics, techniques, and, 
procedures, cybercriminals, continue, successfully, 
launching, managed, cybercrime-friendly, services, 
successfully, empowering, novice, cybercriminals with, the, 
necessary, tactics, techniques, and, procedures, for, the, 
purpose, of, earning, fraudulet, revenue, in, the, process, 
while, successfully, monetizing, access, to, malware-infected 
hosts, successfully, earning, fraudulent, revenue, in, the, 
process. 









The, market, segment, for, fake, IDs, and, fake, documents, 
continues, flourishing, largely, thanks, to, a, diverse, set, of, 
underground, market, segment, cybercrime-friendly, 
managed, services, successfully, empowering, novice, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, to, fruther, commit, cybercrime, while, earning, 
fraudulent, revenue, in, the, process, while, successfully, 
monetizing, access, to, malware-infected, hosts. In, a, market, 
segment, dominated, by, commiditized, underground, 
market, cybercrime-friendly, propositions, cybercriminals, 
continue, actively, populating, the, market, segment, for, 
fake, IDs, and, fake, documents, with, hundreds, of, 
fraudulent, propositions, successfully, empowering, novice, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, to, further, commit, fraudulent, activity, while, 
earning, fraudulent, revenue, in, the, process. 

We'll, continue, monitoring, the, market, segment, for, fake, 
documents, and, IDs, and, post, updates, as, soon, as, new, 
developments, take, place. 

Related posts: 
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[1] New Cybercrime-Friendly Service Offers Fake Documents 
and Bills on Demand 

[2] Cybercriminals Offer Fake/Fraudulent Press Documents 
Accreditation On Demand 

[3] Cybercriminals Offer High Quality Plastic U.S Driving 
Licenses/University ID Cards 

[4] Vendor of Scanned Fake IDs, Credit Cards and Utility Bills 
Targets the French Market Segment 



[5] Newly Launched 'Scanned Fake Pass ports/ IDs/C red it 
Cards/Utility Bills' Service Randomizes and Generates Unique 
Fakes On The Fly 

[6] A Peek Inside the Russian Underground Market for Fake 
Documents/IDs/Passports 1. 

http://ddanchev.blo as pot.com/2016/Q8/new-service-offers- 
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offer-fakefraudulent.html 
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scanned-fake.html 
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Historical OSINT - Spamvertised Client-Side Exploits 
Serving Adult Content Themed Campaign (2016-12-23 
06:47) 

There's no such thing as free porn, unless there are client- 
side, exploits, served. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, end, users, into, 
clicking, on, malware-serving, client-side, exploits, 
embedded, content, for, the, purpose, of, affecting, a, 
socially, engineered, user''s, host, further, monetizing, 


























access, by, participating, in, a, rogue, affiliate-network, 
based, type, of, monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, malicious, URL, known, to, have, 
participated, in, the, campaign: 

hxxp://jfkweb. chez. com/HytucztXRs. html? 

-> 

hxxp.y/aboutg. dothome. co. kr/bbs/theme 

_1 

_l.php 

-> 

http.y/aboutg. dothome. co. kr/bbs/theme 
_1 

_ 1. php ?s=hvqCgoLEI 
&id=6 


-> 

http://aboutg.dothome.co.kr/bbs/theme _1 _1 l.php? 
s=hvqCgoLEI &id=14 -> hxxp://meganxoxo.com - 



74.222.13.2 


- associated, name, servers: nsl.tube310.info; 
ns2.tube310.info - 74.222.13.24 

Parked there (74.222.13.2) are also: 

hxxp://e-leaderz.com - Email: seoproinc@gmail.com 

hxxp://babes4you.info - 74.222.13.25 

hxxp://tubexxxx.info 

hxxp://my-daddy.info - 74.222.13.25 

Related, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://eroticahaeven.info 

hxxp://freehotbabes.info 
hxxp://freeporn portal, info 
hxxp://hot-babez.info 
hxxp ://sex-sexo. i nfo 
hxxp://tube310.info 
hxxp://tube323.info 

The exploitation structure is as follows: 

hxxp://meganxoxo. com/xox/go. php ?sid=6 
-> 

hxxp://kibristkd. org. tr/hasan-ikizer/indexOl.php 



hxxp://fdl a234sa. com/js 


79.135.152.26 

-> 

hxxp ://asf356ydc. com/qual/index. php 


CVE- 

2008-2992; 

CVE-2009-0927; 

CVE-2010-0886 

-> 

hxxp://asf356ydc. com/qual/524 72f502b9688 

d3326a32ed5 ddd5 d2c.js 
-> 

hxxp://asf356yd c. com/qual/abe9c321312b206bffa 798ef9d5b 
6a9b.php?uid=206 


369 



hxxp://l 88.243.231.39/public/qual.jar 
-> 

hxxp ://asf356ydc. com/qual/loa d. php/0a358- 
4217553d 6fccbd 74 cfb 73e954b6 ?fo 
rum=thread 
Jd 
-> 

hxxp ://asf356ydc. com/do wnload/sta t. php 
-> 

hxxp://asf356yd c. com/do wnload/load/load. exe 

Related, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886 

- hxxp://jfkweb.chez.com/bud2.html 

- hxxp://jfkweb.chez.com/4.html 

- hxxp://wemhkr3t4z.com/qual/load/myexebr.exe 

- hxxp://asf356ydc.com/download/index.php 

- hxxp://89.248.111.71/qual/load.php?forum=jxp &ql 
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- hxxp://asf356ydc.com/qual/index.php 



Related, malicious, URIs, known, to, have, 
participated, in, the, campaign: 

hxxp://qual/10964108e3afab081edl986cde437202.js 

hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php? 
spn = 2 &uid = 213393 & hxxp://qual/index.php?browser 
_version = 6.0 &uid = 213393 &browser=MSIE &spn = 2 

Related, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://download/banner.php?spl=javat 

hxxp://download/jl _ke.jar 
hxxp://download/j2 _93.jar 

parked on 89.248.111.71, AS45001, Interdominios _ono 
Grupo Interdominios S.A. 

wemhkr3t4z.com - Email: fole@fox.net - MD5: 
3b375fc53207elf54504d4b038d9fe6b Related, 
malicious, MD5s, known, to, have, participated, in, 
the, campaign: hxxp://alhatester.com/cp/file.exe- 
204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 
208.73.211.247; 208.73.211.249; 208.73.211.246; 
208.73.211.233; 208.73.211.238; 208.73.211.208 

Known, to, have, phoned, back, to, the, same, 
malicious, C &C, server, IPs, are, also, the, following, 
malicious, MD5s: 

MD5: 89fb419120dl443e86d37190c8f42ae8 
MD5: 3194e6282b2e51ed4efl86ce6125ed73 
MD5: 7f42da8b0f8542a55e5560e86c4df407 


MD5: f8bdc841214ae680a755b2654995895e 



MD5: ed8062el52ccbel4541d50210f035299 

Once, executed, a, sample, malware (MD5: 
89fb419120dl443e86d37190c8f42ae8), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://gremser.eu 

hxxp://bibliotecacenamec.org.ve 

hxxp://fbpei ntures.com 

hxxp://postgil.com 

hxxp://veruml.home.pl 

hxxp://przed wislocze.internetdsl.pl 

hxxp://isku rders.webkursu.net 

hxxp://pen nthaicafe.com.au 

hxxp://mothereng ineering.com 

hxxp://kru poonsak.com 

Once, executed, a, sample, malware (MD5: 
3194e6282b2e51ed4efl86ce6125ed73), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://get.enomenalco.club 

hxxp://promos-back.peerdlgo.info 

hxxp://get.cdzhugashvili.bid 

hxxp://doap.ctagonallygran.bid 

hxxp://get.gunnightmar.club 



hxxp://huh.adowableunco.bid 

hxxp://slibby.ineddramatiseo.bid 
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Once, executed, a, sample, malware (MD5: 
7f42da8b0f8542a55e5560e86c4df407), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://acemog I usucuklari.com.tr 

hxxp://a-bring.com 

hxxp://tn69abi.com 

hxxp://gim8.pl 

hxxp://sso.an btr.com 

Once, executed, a, sample, malware (MD5: 
f8bdc841214ae680a755b2654995895e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://dtrack.seed ls.com 

hxxp://api.v2.secdls.com 

hxxp://a pi. v2.sslsecurel.com 

hxxp://a pi. v2.sslsecure2.com 

hxxp://api.v2.sslsecure3.com 

hxxp://a pi. v2.sslsecure4.com 

hxxp://api.v2.sslsecure5.com 

hxxp://api.v2.sslsecure6.com 




hxxp://a pi. v2.sslsecure7.com 
hxxp://api.v2.sslsecure8.com 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 
67.215.255.139; 184.168.221.87 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(67.215.238.77): MD5: 
1233c86d3ab0081b69977dbc92f238d0 

Known, to, have, responded, to, the, same, 
malicious, IPs, are, also, the, following, malicious, 
domains: hxxp://blog.symantecservice37.com 

hxxp://agoogle.in 

hxxp://adv.anti virup.com 

hxxp://cd ind.antivirup.com 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://v00d00.org/nod32/update.php 

Known, to, have, responded, to, the, same, 
malicious, IPs (67.215.255.139), are, also, the, 
following, malicious, domains: 

hxxp://lenovoserve.trickip.net 

hxxp://proxy. wikaba.com 

hxxp://th ink.jkub.com 



hxxp://u pgrate.freeddns.com 
hxxp://webproxy.sendsmtp.com 
hxxp://yote.del lyou.com 
hxxp://lostself.dyndns.info 
hxxp://dellyou.com 
hxxp://mtftp.freetcp.com 
hxxp://ftp.adobe.acmetoy.com 
hxxp://ti meout.myvnc.com 
hxxp://fash ion.servehalflife.com 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(67.215.255.139): 

MD5: e76aa56b5ba3474dda78bf31ebfle6c0 

MD5: 4de5540e450e3el8a057f95d20e3d6f6 

MD5: 346a605c60557e22bf3f29a61df7cd21 

MD5: ae9fefda2c6d39bclcec36cdf6cle6c4 

MD5: da84fld6c021b55b25ead22aae79f599 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (184.168.221.87), are, 
also, the, following, malicious, domains: 


hxxp://teltrucki ng.com 



hxxp://capecoraldi ning.org 
hxxp://ca rsforsaletoronto.com 
hxxp://joeyboca.com 
hxxp://meeraamaci ds.com 
hxxp://orangepotus.com 
hxxp://pal merhardware.com 
hxxp://rai I roadtohell.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, the, same, malicious, C &C, server, IPs 
(184.168.221.87):MD5: 

037f812032 3f2ddff3c806185512 538c 

MD5: 44f0e8fe53a3b489cb5204701fa 1773d 

MD5: 8a053e8d3e2eafc27be9738674d4d5b0 

MD5: 9efc79cd75d23070735da219c331fe4d 

MD5: ed81b9flb72e31dfl040ccaf9ed4393f 

Once, executed, a, sample, malware (MD5: 
037f8120323f2ddff3c806185512538c), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://porno-kuba.net/emo/ld.php?v=l &rs= 1819847107 
&n = l &uid = l 

Once, executed, a, sample, malware, (MD5: 
44f0e8fe53a3b489cb5204701fal773d), phones, back, 
to, the, following, C &C, server, IPs: 



hxxp://mhc.ir 
hxxp://naphoocl ub.com 
hxxp://mdesigner.ir 
hxxp://nazarcafe.com 
hxxp://meand love.com 
hxxp://nakhonsawangames.com 
hxxp://mevl anacicek.com 
hxxp://meeraprabhu.com 
hxxp://micr.ae 

hxxp://my hyderabadads.com 

hxxp://cup-muangsuang.net 

Sample, malicious, URLs, known, to, have, 
participated, in, the, campaign: 

hxxp://portinilwo.com/nhjq/n09230945.asp 

- hxxp://portinilwo.com/botpanel/sell2.jpg 

- hxxp://portinilwo.com/boty.dat 

- hxxp://91.188.60.161/botpanel/sell2.jpg 
87 

- hxxp://91.188.60.161/botpanel/ip.php 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: asf356ydc.com - 
MD5: 3b375fc53207elf54504d4b038d9fe6b 



Related, malicious, domains, known, to, have, 
participated, in, the, campaign: asf356ydc.co 

kaljv63s.com 

sadkajt357.com 

We'll, continue, monitoring, the, fraudulent, infrastructure, 
and, post, updates, as, soon, as, new, developments, take, 
place. 
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Historical OSINT - Celebrity-Themed Blackhat SEO 
Campaign Serving Scareware and the Koobface 
Botnet Connection (2016-12-23 08:02) 

In, a, cybercrime, dominated, by, fraudulent, propositions, 
historical, OSINT, remains, a, crucial, part, in, the, process, of, 
obtaining, actionable, intelligence, further, expanding, a, 
fraudulent, infrastructure, for, the, purpose, of, establishing, 
a, direct, connection, with, the, individuals, behind, it. 
Largely, relying, on, a, set, of, tactics, techniques, and, 
procedures, cybercriminals, continue, further, expanding, 
their, fraudulent, infrastructure, successfully, affecting, 









hunreds, of, thousands, of, users, globally, further, earning, 
fraudulent, revenue, in, the, process, of, committing, 
fraudulent, activity, for, the, purpose, of, earning, fraudulent, 
revenue, in, the, process. 

In, this, post, we'll, discuss, a, black, hat, SEO (search engine 
optimization), campaign, intercepted, in, 2009, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it, successfully, 
establishing, a, direct, connection, with, the, Koobface, gang. 

The, Koobface, gang, having, successfully, suffered, a, major, 
take, down, efforts, thanks, to, active, community, and, ISP 
(Internet Service Provider), cooperation, has, managed, to, 
successfully, affect, a, major, proportion, of, major, social, 
media, Web, sites, including, Facebook, and, Twitter, for, the, 
purpose, of, further, spreading, the, malicious, software, 
served, by, the, Koobface, gang, while, earning, fraudulent, 
revenue, in, the, process, of, monetizing, the, hijacked, and, 
acquired, traffic, largely, relying, on, the, use, of, fake, 
security, software, and, the, reliance, on, a, fraudulent, 
affiliate-network, based, type, of, monetizing, scheme. 
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Largely, relying, on, a, diverse, set, of, traffic, acquisition, 
tactics, including, social, media, propagation, black, hat, SEO 

(search engine optimization), and, client-side, exploits, the, 
Koobface, gang, has, managed, to, successfully, affect, 
hundreds, of, thousands, of, users, globally, successfully, 
populating, social, media, networks, such, as, Facebook, and, 
Twitter, with, rogue, and, bogus, content, for, the, purpose, of, 
spreading, malicious, software, and, earning, fraudulent, 
revenue, in, the, process, largely, relying, on, a, diverse, set, 
of, traffic, acquisition, tactics, successfully, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, the, use, 
of, affiliate-network, based, traffic, monetizing, scheme. 












Let's, profile, the, campaign, provide, actionable, 
intelligence, on, the, infrastructure, behind, it, discuss, in- 
depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it, and, establish, a, direct, 
connection, with, the, Koobface, gang, and, the, Koobface, 
botnet's, infrastructure. 

Sample URL, redirection, chain: 

hxxp .-//flash, grywebo we. com/elin5885/? 
x=entry:entry091109-071901 


-> 

http://alicia- 

witt. com/elinl 619/?x=entry:entry091112-185912 
-> 

hxxp://indiansoftwareworld. com/index. php?affid=31700 


213.163.89.56 
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•follow, noorcAivw"> 


LABZl_CO£SC -•> 

<toai> 

<Ull»lo>dlno</UU» 

owl4 Mw*'roboti* coat#«t -"noindex, e. 

<i(rtft> 

fuact ic-r. handlelrror<l ctry<window. parent. location-locat ion; >cateh(e) I Itryi window.cop. locat ion-locat low>catch(«)<> > window.onerror-handlelrror; 

it (window,parent .franes. iength>0) < it (window,parent .(>oc«tbt .body. innerNTKLi () 1 

</icrltt> 

<actlyt> 

It ( location. heat. ladwxOt 1* consol wyes* I '• -1) l _ 


It (navigator.appVersion.indwxOfC*Bit’| > 0) < wtadov.ult • true (action M1 wvwrilon|| ( var ua • window.navigator.ui«rAgent; vac Hl« • 

ua. ladewOf l "M It ").* it Insia > 0) ntwn parseine (ua. safest ring (a* ie ♦ $. i»a. indexOf<".", Mill)); r«tu» 0; > window. Itversion - »elever*ionll; 

function openPangerVinfewiadrl 4 if (window. i»IK) i if (window. reversion < (I ( window, open (adr); ) else ( try < 

doon*ent .getElenentlyldr lie->. launcfcWXladrl; I catchleel O 1 > ala* i location.href • air; ) ) 

function exiterO < open! anger Window (window, location, beat I » openhangerWindow |dangerVlnlAdc | ; return falaat » 

It (window.ettachfveatl aval("window.atlaehEvent(•oaualond',exltwt);•): aloe window.oddiveniListener("unload”, exltwe, false); 

1 

</mlpt> 

<icr ipt tjna#"" r ext/ java* mpt ">doc«s»e*.t. wr ita (* <CdJ• •' tCT Id-"!**' la" width-*0" h*ighe-"0" »tyle-"po*it ica: absolute; left:0;top:0;" 

CUT CLI'V 52-JMA-ll ♦ d>-im-co:04r fTITUf* trpe-"appl icat loWx-olW oto)e' • ct"> <PA ♦ PA« 

KAn-'den’e’dPlaySceteChe-♦-ngelvents* VALUI-"True*> cM’o'RAI NAKl-'Aw* to*t • ♦*art* VAUH-*True"> <?&*'♦*AH nane-"uiHo f ♦ de" value- 
nane-"Play ♦• Count" valve""9999"></C*JICT>’ | j</sr>lpt> 
cwctiyt language- "javas.-i ipt ">AC_fL_PanContant • 0;</ectipt> 

<acdpl language-" javaact ipt"> 

var lalt • (navigator .appVaraloa. led** Of I '• -1) J true : false; 

vac isVin • (navigator .appVwrslon.tolovwrCase (). indaxOf ("uin") '• -1) 7 true : talas; 
var laOpara - (navigator.userAgent.index OfI"Opera") -1| ? true : falsa; 

function ControlVersioall ( 
var version! 
var axoi 
var aj 
try ( 

axo • new ActivelObject|"Shockwaveflash.Sbockwavwrlaak.T*|; 
version * axo.CatVarlabia|"(version*); 

I cotoll (f) (I 
it ('varstoni ( 
try I 

axo - new Act iveXCtoject ("Sbocltaavef lash.Sbocfcaavef lash.«•) j 
version - “SIN 6,0,21,0"; 
axo.AllowScriptAccess • "always"; 
version * axo.CatVarlabia("(version"!j 


*none"> <PA ♦ PA* 


Sample, detection, rate, for, a, malicious, 
executable:MD5: bd7419a376f9526719d4251a5dab9465 

Sample, URL, redirection, chain, leading, to, client- 
side, exploits: hxxp://loomoom.in/counter.js - 64.20.53.84 - 
the front page says 11 We are under DDOS attack. Try later M . 

hxxp ://firefoxfo wn er. cn/?pid=101s06 

&sid=977111 

-> 

hxxp://royalsecurescana. com/scanl/?pid=l 01s6 

&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZTOxMjUxNMkNP 

AhN 

Sample, detection, rate, for, a, malicious, executable: 


MD5: a91albb995e999f27ffc5d9aa0ac2ba2 



Once, executed, a, sample, malware, phones, back, 
to: 

hxxp://systemcoreupdate. com/download/timesroman. tif - 
213.136.83.234 
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Sample, URL, redirection, chain: 

hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is 
also left 11 We are under DDOS attack. Try later Jl 

hxxp://johnsmith. in/counter.js - 64.20.53.86 

hxxp://gamotoe. in/counter, js 

hxxp://po!ofogoma.in/counter, js 








hxxp://jajabin. in/counter, js 
hxxp://dahaloho. in/counter, js 
hxxp://gokreman. in/counter, js 
hxxp://freeblogcounter2. com/counter, js 
hxxp:///ahhangar. in/counter, js 
hxxp://ga loro bap. in/counter, js 

Sample, directory, structure, for, the, black, hat, SEO 
(search engine optimization), campaign: 

hxxp://images/include/bmblog 

hxxp://bm blog/category/a rt/ 

hxxp ://images/style/bmblog 

hxxp://photos/archi ve/bmblog/ 

hxxp://temp\ates/img/bmb\og 

hxxp://phpsessions/bmblog 

hxxp .-//Index _archi vos/img/bmblog/ 

hxxp://bmblog/category/hahahahahah/ 

hxxp://gallery/include/bmblog 

Sample, malicious, domains, participating, in, the, 
campaign: pcmedicalbilling.com - Email: 
sophiawrobertson@pookmail.com 
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securitytoolnow.com - Email: ronaldmpappas@dodgit.com 
securitytoolsclick.net- Email: ruthdtrafton@dodgit.com 

security-utility.net - Email: 
richardrmccullough@trashymail.com 

Historically on the same IP were parked the 
following, now responding to 91.212.107.37 domains: 

online-spyware-remover.biz - Email: 
robertsimonkroon@gmail.com 

online-spyware-remover.info - Email: 
robertsimonkroon@gmail.com 

spyware-online-remover.biz - Email: 
robertsimonkroon@gmail.com 

spyware-online-remover.com - Email: 
robertsimonkroon@gmail.com 

spyware-online-remover.info - Email: 
robertsimonkroon@gmail.com 

spyware-online-remover.net - Email: 
robertsimonkroon@gmail.com 

spyware-online-remover.org - Email: 
robertsimonkroon@gmail.com 

tubepornonline.biz - Email: robertsimonkroon@gmail.com 
tubepornonline.org - Email: robertsimonkroon@gmail.com 
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mail.newsecurity1ools.net 



Sample, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://antyspywarestore. com/index, php ?affid=90400 

hxxp://newsecuritytools.net/index.php?affid=90400 - 
78.129.166.11 - Email: joyomcdermott@gmail.com Sample, 
detection, rate, for, a, malicious, executable: 

MD5: 0feffd97ffe3ecc875cfe44b73f5653b 



MD5: a0d9d3127509272369f05c94ab2acfc9 


Naturally, it gets even more interesting, in particular the fact 
the very same robertsimonkroon@gmail.com used to 
register the domains historically parked at the IP that is 
currently hosting the scareware domains part of the massive 
blackhat SEO campaign - the very same domains ( 
hxxp://firefoxfowner.cn), were also in circulation on Koobface 
infected host, in a similar fashion when the domains used in 
the New York Times malvertising campaign were 
simultaneously used in blackhat SEO campaigns managed 
by the Koobface gang - have not only been seen in July's 
scareware campaigns - but also, has been used to register 
actual domains used as a download locations for the 94 
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scareware campaigns part of the [l]Koobface botnet's 
scareware business model. 

Parked, at, the, same, malicious, IP (91.212.107.37), 
are, also, the, following, malicious, domains: 

hxxp://free-web-down load, com 

hxxp://web-free-down load, com 

hxxp://i qmediamanager.com 

hxxp://oesoft.eu 

hxxp://unsoft.eu 

hxxp://losoft.eu 

hxxp://tosoft.eu 

hxxp://kusoft.eu 

Sample, detection, rate, for, a, malicious, executable: 

MD5: 29ff816c7elll47bb74570c28c4e6103 

MD5: e59b66ebl680c4fl95018b85e6d8b32b 

MD5: b34593d884a0bc7a5adb7ab9d3bl9a2c 

The overwhelming evidence of underground multi-tasking 
performed by the Koobface gang, it's connections to money 
mule recruitment scams, high profile malvertising attacks, 
and current market share leader in blackhat SEO 
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campaigns, made, the, group, a, prominent, market, leader, 
within, the, cybercrime, ecosystem, having, successfully, 



affecting, hundreds, of, thousands, of, users, globally, 
potentially, earning, hundreds, of, thousands, in, fraudulent, 
revenue, in, the, process. 
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Historical OSINT - Zeus and Client-Side Exploit 
Serving Facebook Phishing Campaign Spotted in the 
Wild (2016-12-23 11:29) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercrimianals, continue, actively, populating, 
their, botnet's, infected, population, with, hundreds, of, 
thousands, of, newly, affected, users, globally, potentially, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, earning, fraudulent, revenue, in, 
the, process, of, monetizing, the, affected, botnet's, 
population, largely, relying, on, the, utilization, of, affiliate- 
based, type, of, fraudulent, revenue, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, impersonating, Facebook, for, 
the, purpose, of, serving, client-side, exploits, to, socially, 
engineered, users, further, compromising, the, 
confidentiality, integrity, and, availability, of, the, affected, 
hosts, to, a, multi-tude, of, malicious, software, further, 
earning, fraudulent, revenue, in, the, process, of, monetizing, 
the, affected, hosts, largely, relying, on, the, use, of, affiliate- 
based, type, of, fraudulent, revenue, monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind it, 
discuss, in-depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind, it, and, provide, actionable, 
intelligence, on, the, infrastructure, behind, it. 

Sample, URL, exploitation, chain: 

hxxp://auth.facebook.com.megavids.org/id735rp/LoginFaceb 
ook.php 


- hxxp://wqdfr.salefale.com/index.php - 62.193.127.197 



- hxxp://spain.salefale.com/index.php 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://salefale.com - 
112.137.165.114 

- hxxp://countrtds.ru - 91.201.196.102 - Email: 
thru@freenetbox.ru Sample, detection, rate, for, the, 
malicious, executable: 

MD5:e96c8d23e3b64d79e5el34a9633d6077 

MD5: 19d9cc4d9d512e60f61746ef4c741f09 

Once, executed, a, sample, malware, phones back to: 

hxxp://makotoro.com 

Related, malicious, C &C, server, IPs, known, to, 
have, participated, in, the, campaign: 

hxxp://91.201.196.99 

hxxp ://91.2 01.196.7 7 
hxxp ://91.2 01.196.101 
hxxp 7/91.2 01.196.3 5 
hxxp 7/91.2 01.196.7 5 
hxxp 7/91.2 01.196.7 6 
hxxp 7/91.2 01.196.38 
hxxp 7/91.2 01.196.34 
hxxp 7/91.2 01.196.3 7 



Related, malicious, C &C, server, IPs 
(212.175.173.88), known, to, have, participated, in, 
the, campaign: hxxp://downloads.fileserversa.org 

hxxp://d own loads.fileserversc.org 

hxxp://down loads.fileserversd.org 
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hxxp://down loads, portodrive.org 
hxxp://down loads.fileserversj.org 
hxxp://down loads.fileserversk.org 
hxxp://down loads.fileserversm.org 
hxxp://down loads.fileserversn.org 
hxxp://down loads.fileserverso.org 
hxxp://down loads.fileserversq.org 
hxxp://down loads.fi leserversr.org 
hxxp://auth .facebook.com.megavids.org 
hxxp://auth. facebook.com. fileserversl.com 
hxxp://auth .facebook.com.legomay.com 
hxxp://auth .facebook.com.crymyway.com 
hxxp://auth .facebook.com.portodrive.net 
hxxp://auth.facebook.com. modavedis.net 
hxxp://auth .facebook.com.migpix.net 



hxxp://auth .facebook.com.legomay.net 
hxxp://auth .facebook.com.crymyway.net 
hxxp://down loads, meg avids.org 
hxxp://down loads, regzavids.org 
hxxp://down loads, vedivids.org 
hxxp://downloads. restpictures.org 
hxxp://down loads, modavedis.org 
hxxp://down loads.fi leserverst.org 
hxxp://down loads.fileserversu.org 
hxxp://down loads, regzapix.org 
hxxp://down loads, reggiepix.org 
hxxp://down loads, mi gpix.org 
hxxp://down loads, restopix.org 
hxxp://down loads, legomay.org 
hxxp://down loads.vediway.org 
hxxp://down loads.compoway.org 
hxxp://down loads, restway.org 
hxxp://down loads.cry my way.org 
hxxp://down loads.fileserversa.com 
hxxp://down loads.fileserversb.com 



hxxp://down loads.fileserversc.com 
hxxp://down loads.fileserversd.com 
hxxp://down loads.fi leserverse.com 
hxxp://down loads.fi leserversf.com 
hxxp://down loads.fileserversg.com 
hxxp://down loads.fileserversh.com 
hxxp://down loads.fileserversi.com 
hxxp://down loads.fileserversj.com 
hxxp://down loads.fi leserversk.com 
hxxp://down loads.fileserversl.com 
hxxp://down loads.fileserversm.com 
hxxp://down loads.fileserversn.com 
hxxp://down loads.fi leserverso.com 
hxxp://down loads.fileserversp.com 
hxxp://down loads.fileserversq.com 
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hxxp://down loads.fi leserversr.com 
hxxp://down loads, regzavids.com 
hxxp://down loads, vedivids.com 
hxxp://down loads, restpictures.com 



hxxp://down loads, modavedis.com 
hxxp://down loads.fi leserverss.com 
hxxp://down loads.fi leserverst.com 
hxxp://down loads.fileserversu.com 
hxxp://down loads, regzapix.com 
hxxp://down loads, reggiepix.com 
hxxp://down loads, mi gpix.com 
hxxp://down loads, legomay.com 
hxxp://down loads.vediway.com 
hxxp://down loads.compoway.com 
hxxp://down loads.cry my way.com 
hxxp://down loads.fileserversa.net 
hxxp://down loads.fileserversb.net 
hxxp://down loads, fileserversc.net 
hxxp://down loads, fileserversd.net 
hxxp://down loads.fi leserverse.net 
hxxp://down loads, portodrive.net 
hxxp://down loads.fi leserversf.net 
hxxp://down loads, fileserversg.net 
hxxp://down loads.fileserversh.net 



hxxp://down loads.fileserversi.net 
hxxp://down loads.fileserversj.net 
hxxp://down loads.fi leserversk.net 
hxxp://down loads.fileserversl.net 
hxxp://down loads.fileserversm.net 
hxxp://down loads, fileserversn.net 
hxxp://down loads.fi leserverso.net 
hxxp://down loads, fileserversp.net 
hxxp://down loads.fileserversq.net 
hxxp://down loads.fi leserversr.net 
hxxp://down loads, regzavids.net 
hxxp://down loads, vedivids.net 
hxxp://down loads.tastyfiles.net 
hxxp://down loads, restpictures.net 
hxxp://down loads, modavedis.net 
hxxp://down loads.fi leserverss.net 
hxxp://down loads.fi leserverst.net 
hxxp://down loads.fileserversu.net 
hxxp://down loads, regzapix.net 
hxxp://down loads, reggiepix.net 



hxxp://down loads, mi gpix.net 
hxxp://down loads, legomay.net 
hxxp://down loads.vediway.net 
hxxp://down loads.compoway.net 
hxxp://down loads, restway. net 
hxxp://down loads.crymyway.net 
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We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Haiti-themed Blackhat SEO 
Campaign Serving Scareware Spotted in the Wild 
(2016-12-23 12:53) 

In, a, cybercrime, ecosystem, dominated, by, fraudulent, 
propositions, cybercriminals, continue, actively, spreading, 
malicious, software, largely, relying, on, a, pre-defined, set, 
of, compromised, hosts, for, the, purpose, of, spreading, 
malicious, software, further, expanding, a, specific, botnet's, 
infected, population, further, earning, fraudulent, revenue, 
in, the, process, of, monetizing, the, access, to, the, infected, 
hosts, largely, relying, on, an, affiliate-based, type, of, 
monetizing, scheme. 

In, this, post, we'll, profile, a, currently, circulating, malicious, 
black, hat, SEO (search engine optimization), campaign, 
provide, actionable, intelligence, on, the, infrastructure, 
behind, it, and, discuss, in-depth, the, tactics, techniques, 
and, procedures, of, the, cybercriminals, behind, it. 



Sample, portfolio, of, affected, Web, sites: 

hxxp://austi nluce.co.uk 
hxxp://nau katanca.co.uk 
hxxp://truenorthi nnovation.co.uk 
hxxp://robsonsofwolsi ngham.co.uk 
hxxp://daviddewphotog raphy.co.uk 
Sample, URL, redirection, chain: 
hxxp://sciencefi rst.com/?red = haiti-earthquake-donate 

- hxxp://otsosute.freehostia.com/c.html 

- hxxp://scan-now24.com/go.php?id = 2022 &key=4c69e59ac 
&d = l 

Sample, URL, redirection, chain: 

hxxp://lipsticpi.ru/sm/r.php 

- hxxp://uscaau.com/back.php 

- hxxp://sekuritylistsite.com/hitin.php7land = 20 
&affid = 94801 

- hxxp://my premiumantyspywarepill.com/hitin. php? I and = 20 
&affid = 94801 

- hxxp://mypremiumantyspywarepill.com/index.php? 
affid = 94801 

Sample, detection, rate, for, a, sample, malicious, 
executable: MD5: ebc956abadefdac794ebcdl898ea07cf 



Sample, detection, rate, for, a, sample, malicious, 
executable: MD5: d65a5dlab98bd690dccd07cb6eebcba3 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://mypremi umantyspywarepill.com/in.php7affid=94801 

hxxp://greatnorthwill.com/?mod=vv &i = l &id = ll-18 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://getholidaypresent0.com - 204.12.225.83 

hxxp://g etholidaypresent2.com 
hxxp://g etholidaypresent3.com 
hxxp://scan-now22.com 
hxxp://scan-now23.com 
hxxp://scan-now24.com 
hxxp://santacl aus4.com 
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hxxp://g etholidaypresent5.com 

hxxp://g etholidaypresent7.com 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://freeantyviruspillblog.com - 213.163.91.240 

hxxp ://newgoodantyspy warepill.com 
hxxp://my premiumantyspywarepill.com 



hxxp ://freegoodantyvi ruspill.com 
hxxp://freeantyspy warepillshop.com 
hxxp ://thevi rustoolbox.com 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Massive Black Hat SEO Campaing 
Serving Scareware Spotted in the Wild (2016-12-24 
05:47) In, a, cybercrime, ecosystem, dominated, by, 
fraudulent, propositions, cybercriminals, continue, actively, 
acquiring, and, hijacking, traffic, for, the, purpose, of, 
converting, it, to, malware-infected, hosts, while, earning, 
fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, a, set, of, 
tactics, techniques, and, procedures, successfully, earning, 
fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, an, 
affiliate-based, type, of, monetizing, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, black, hat, SEO (search engine optimization), 
campaign, serving, fake, security, software, also, known, as, 
scareware, successfully, monetizing, the, hijacked, and, 
acquired, traffic, largely, relying, on, the, utilization, of, 
affiliate-network, based, type, of, monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 


Sample, portfolio, of, compromised, Web, sites: 



hxxp://y ushikai.co.uk 
hxxp://www. heart-2-heart.nl 
hxxp://www.stichti ngkhw.nl 
hxxp://bu rgessandsons.com 
hxxp://marsmel low. info 
hxxp://broolz.co.uk 
hxxp://bodyscope.co.uk 
hxxp://janschnoor.de 
hxxp://g oodluckflowers.com 
hxxp://www.frank-cari I lo.com 
hxxp://www.strij kvrij.com 
hxxp://www.fotosi ast.nl 
hxxp://www.sen beauty.nl 
hxxp://www.menno.info 
hxxp ://www. ku I .f m 
Sample, URL, redirection, chain: 
hxxp://onotole.iblogger.org/2.html 

199.59.243.120; 


205.164.14.79; 



199.59.241.181 


> 

hxxp://mycommerci alssecuritytool.com/index.php? 
affid = 34100 

89.248.171.48 

Email: 

Kathryn.D.Jennings@gmail.com 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://myatmoe. iblogger.org 

hxxp://creditreport.iblogger.org 
hxxp://movi eddlheaven.iblogger.org 
hxxp://cv-bruno-brocas. iblogger.org 
hxxp://isl ife.iblogger.org 
hxxp://i blogger, iblogger.org 
hxxp://d ressshirt.iblogger.org 
hxxp://a 11 ians.iblogger.org 
hxxp://rapid-wei ght-loss.iblogger.org 



hxxp://breastaug rn.iblogger.org 
hxxp://u ila.iblogger.org 
hxxp://oh-tv. iblogger.org 
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hxxp://brudnopis.iblogger.org 
hxxp://learneng I ish.iblogger.org 
hxxp://motivatedcats. iblogger.org 
hxxp://robert.iblogger.org 
hxxp://testforask. iblogger.org 
hxxp://poormang uides.iblogger.org 
hxxp://gel begabeln.iblogger.org 
hxxp://nuagerouge. iblogger.org 
hxxp://chicos-on-l ine.iblogger.org 
hxxp://hy pnosisworld.iblogger.org 
hxxp://ten nis.iblogger.org 
hxxp://i bu.iblogger.org 
hxxp://tu rkifsa.iblogger.org 
hxxp://amandacooper. iblogger.org 
hxxp://tw. iblogger.org 
hxxp://whedon. iblogger.org 



hxxp://han. iblogger.org 
hxxp://scclab. iblogger.org 
hxxp://besftfoodblogger. iblogger.org 
hxxp://premi ummenderacunt.iblogger.org 
hxxp://seobook. iblogger.org 
hxxp://bestjackets.iblogger.org 
hxxp://kidszone. iblogger.org 
hxxp://l iker2fb.iblogger.org 
hxxp://vi pin. iblogger.org 
hxxp://i nfobaru.iblogger.org 
hxxp://palermo.iblogger.org 
hxxp://foru rn.bay.de.iblogger.org 
hxxp://on I ine-guard.iblogger.org 
hxxp://j uhjsd.iblogger.org 
hxxp://asu 11 Ublogger.org 
hxxp://youtu betranscription.iblogger.org 
hxxp://praza.iblogger.org 
hxxp://free-worlds. iblogger.org 
hxxp://ml rn.iblogger.org 
hxxp://my leskadusale.iblogger.org 



hxxp://n injapearls.iblogger.org 
hxxp://bassian. iblogger.org 
hxxp://d 3-f21-w-14.iblogger.org 
hxxp://mlk. iblogger.org 
hxxp://pe.iblogger.org 
hxxp://con nor54321.iblogger.org 
hxxp://smx. iblogger.org 
hxxp://l 7fire.iblogger.org 
hxxp://g reatestbattles.iblogger.org 
hxxp://generalsu rgery.iblogger.org 
hxxp://megafon. iblogger.org 
hxxp://dasefx. iblogger.org 
hxxp://ysofii. iblogger.org 
hxxp://priv8. iblogger.org 
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hxxp://ka hramanmaras.iblogger.org 
hxxp://kaoojcjl. iblogger.org 
hxxp://i nfobaru.iblogger.org 
hxxp://dla-kobiet. iblogger.org 
hxxp://ka rinahart.iblogger.org 



hxxp://mari ucciaelasuaombra.iblogger.org 
hxxp://sig ninbay.de.iblogger.org 
hxxp://pitstop.iblogger.org 
hxxp://colorless. iblogger.org 
hxxp://d irectorio.iblogger.org 
hxxp://odenavi va.iblogger.org 
hxxp://e-money. iblogger.org 
hxxp://d igicron.iblogger.org 
hxxp://slotomania-hackers. iblogger.org 
hxxp://blazetech. iblogger.org 
hxxp://blazetech. iblogger.org 
hxxp://bestoksriy. iblogger.org 
hxxp://teamsite. iblogger.org 
hxxp://mateapl icada.iblogger.org 
hxxp ://tmgames. iblogger.org 
hxxp://nati vephp.iblogger.org 
hxxp://priv8. iblogger.org 
hxxp ://sharepoi ntdotnetwiki.iblogger.org 
hxxp://nati vephp.iblogger.org 
hxxp://seobook. iblogger.org 



hxxp ://j awwal.iblogger.org 

hxxp://tomsplace. iblogger.org 

hxxp://sh reyo.iblogger.org 

hxxp://g reatestbattles.iblogger.org 

hxxp://beityped ia.iblogger.org 

hxxp ://d utcheastindies.iblogger.org 

hxxp ://cramat-satu. iblogger.org 

hxxp ://misc. iblogger.org 

hxxp ://espirito-de-aventu ra.iblogger.org 

hxxp ://tomksoft. iblogger.org 

hxxp ://my movies, iblogger.org 

Known, to, have, responded, to, the, same, 
malicious, IP (199.59.243.120) are, also, the, 
following, malicious, domains: 

hxxp ://brendsrnzwrn.cuccfree.com 

hxxp://caraccidentlawyerl9.us 

hxxp ://colombi avirtualtours.com 

hxxp://dai lydigest.cn 

hxxp://drugaddiction569.us 

hxxp ://earnon I ine.cn 

hxxp://epicor.in 



hxxp://glhgk.com 
hxxp://i roopay.com 
hxxp://kajianislam.us 
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Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(199.59.243.120): 

MD5: C7bd669a416a8347aeba6117d0040217 

MD5: ae89e09f52db7f9d69b9b9c40dbf35f9 

MD5: b4399fc8flde723d452b05ec474ca651 

MD5: C779d9f4e9992ad5ffcd2353bb003a51 

MD5: Cc6efabb0a26c729fl26bl2be717de47 

Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://theworldnews.byethost5.com - 199.59.243.120 

Known, to, have, responded, to, the, same, malicious 
IP (205.164.14.79), are, also, the, following, 
malicious, domains: 

hxxp://fsdq.cn 

hxxp://parked-domain.org 

hxxp://fiverr.hk.tn 

hxxp://hamza nori90.name-iq.com 

hxxp://postgumtree.uk.tn 



hxxp://caoliushequ.info 
hxxp://housewi ves.byethost4.com 
hxxp://n uichate.22web.org 
hxxp://3 rtz.byethostl2.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(205.164.14.79): 

MD5: dbca66955cac79008f9flcd415d7e308 

MD5: b452ca519f077307d68ff034567087cl 

MD5: 70e8c79135b341eac51da0b5789744d3 

MD5: a9f64cl404faf4a6fc81564c8dec22d9 

MD5: b3737alc34cb705f7d244c99afdc3a01 

Once, executed, a, sample, malware 
(MD5:dbca66955cac79008f9flcd415d7e308), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://ibayme.eb2a.com - 205.164.14.79 

Known, to, have, responded, to, the, same, 
malicious, IPs (199.59.241.181), are, also, the, 
following, malicious, domains: 

hxxp://yn919.com 

hxxp://wimp.it 

hxxp://puqiji.com 

hxxp://52style.com 



hxxp://007guard.com 
hxxp://l 0iski.10001mb.com 
hxxp://l 1649.bodisparking.com 
hxxp://l 3.get.themed iafinder.com 
hxxp://l 34205.aceboard.fr 

Sample, detection, rate, for, a, malicious, executable: 

MD5: f74a744d75c74ed997911d0e0b7e6f67 
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Once, executed, a, sample, malware, phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://mycommerci alssecuritytool.com/in.php7affid = 34100 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 

hxxp://protectyou rsystemnowonline.com 

hxxp://createyou rsecurityonline.com 
hxxp://commerci alssecuritytools.com 
hxxp ://freecreateyou rsecu rity.com 

Sample, URL, redirection, chain: 

hxxp://ulions.com/yxg.php?p= - 104.28.22.34 

- hxxp://ppbmv4.xorg.pl/in.php?t=cc &d=04-02-2010 span 
&h = 

- hxxp://wwwl.nat67go4it.net/?uid = 195 &pid = 3 
&ttl = 5184c614d4b - 89.248.160.161 



- hxxp://wwwl.systemsecure.in/?p= 

Know, to, have, responded, to, same, malicious, C 
&C, server, IP (104.28.22.34), are, also, the, 
following, malicious, domains: 

hxxp://portl and ultimate.com 

hxxp://portablemineapplicationsub.tech 

hxxp://i ndirimkuponlarimiz.com 

hxxp://wal kinclosetguys.com 

hxxp://brya ntanaka.com 

hxxp://swisscheckl ist.com 

hxxp://census.mnfu rs.org 

hxxp://duluthbeth.xyz 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(104.28.22.34): MD5: 
Ildda0bbd2aef7944f990fcefbc91034 

MD5: d0be24df3078866a277874dad09c98d9 

MD5: 9ba06da9370037fd2ffe525d6164b367 

MD5: 537bd45df702f90585eebab2a8bb3584 

MD5: a9f61e9696ff7ff4bfc34f70549ffdd0 

Once, executed, a, sample, malware 
(MD5:lldda0bbd2aef7944f990fcefbc91034), phones, 
back, to, the, following, C &C, server, IPs: 



hxxp ://aud io-direkt.net 

hxxp://servico-i nd.com 

hxxp://saios.net 

hxxp ://coopsu permarkt.nl 

hxxp://fruitspot.co.za 

hxxp://vitalur.by 

hxxp ://tri nity-works.com 

Once, executed, a, sample, malware 
(MD5:d0be24df3078866a277874dad09c98d9), 
phones, back, to, the, following, C &C, server, IPs: 

hxxp://3asfh.net - 104.28.22.34 

Once, executed, a, sample, malware, 
(MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, 
back, to the, following, malicious, C &C, server, IPs: 

hxxp ://l ink-1 ist-uk.com 
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hxxp ://racknstackwarehouse.com.au 
hxxp://zeronet.co.jp 
hxxp://sun-ele. co.jp 
hxxp://slcago.org 
hxxp://frederickal lergy.com 



We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Amaia918371 On 22/02/2010 

hey yoourmama, encontre este video tuyo aca 

http7/bitly/cBTsWo 

eres tu no es verdad? 


Historical OSINT - FTLog Worm Spreading Across 
Fotolog (2016-12-24 12:49) In, a, cybercrime, ecosystem, 
dominated, by, fraudulent, propositions, cybercriminals, 
continue, actively, populating, their, botnet's, infected, 
population, further, spreading, malicious, software, while, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multu-tude, of, 
malicious, software, while, earning, fraudulent, revenue, in, 
the, process, of, monetizing, access, to, the, malware- 
infected, hosts, further, spreading, malicious, software, while, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, a, set, of, tactics, techniques, and, procedures, 
successfully, monetizing, access, to, the, malware-infected, 
hosts, largely, relying, on, the, utilization, of, affiliate-based, 
type, of, monetizing, scheme. 

We've, recently, intercepted, a currently, circulating, 
malicious, spam, campaign, targeting, the, popular, social, 
network, Web, site, Fotolog, successfully, enticing, socially, 
engineered, users, into, interacting, with, malicious, links, 
while, monetizing, access, to, the, malware-infected, hosts, 
largely, relying, on, the, utilization, of, an, affiliate-based, 
type, of, monetizing, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 



and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 

hxxp://bit.ly/cBTsWo 

- hxxp://zwap.to/001mk 

- hxxp://www.cepsaltda.cl/uc/red.php?u = l - 216.155.72.44 

- hxxp://supatds.cn/go.php?sid = l - 92.241.164.1 

- hxxp://www.cepsaltda.cl/uc/rcodec.php 

- hxxp://cepsaltda.cl/uc/codec/divxcodec.exe 

Sample, detection, rate, for, a, sample, malicious, 
executable: MD5: C6dbc58e0db3c597c4ab562ad9710a38 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Google Docs Hosted Rogue Chrome 
Extension Serving Campaign Spotted in the Wild 
( 2016 - 12-24 19 : 12 ) 

In, a, cybercrime, ecosystem, dominated, by, malicious, 
software, releases, cybercriminals, continue, actively, 
populating, their, botnet's, infected, population, further, 
spreading, malicious, software, while, earning, fraudulent, 
revenue, in, the, process, of, obtaining, access, to, malware- 
infected, hosts, further, compromising, the, confidentiality, 
integrity, and, availability, of, the, affected, hosts, 
successfully, earning, fraudulent, revenue, in, the, process, 
of, monetizing, access, to, malware-infected, hosts, largely, 



relying, on, the, utilization, of, affiliate-based, type, of, 
monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, affecting, Google Docs, while, 
successfully, enticing, socially, engineered, users, into, 
clicking, on, bogus, links, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, the, affected, 
hosts, successfully, exposing, socially, engineered, users, to, 
a, rogue, Chrome Extension. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
discuss, in-depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind, it, and, provide, actionable, 
intelligence, on, the, infrastructure, behind, it. 

Sample, URL, redirection, chain: 

https://1364757661090.docs.google.eom/presentation/d/lw 

5eh2rh6i0pbuVjb4 

_MzBNPEovRw3f6qiho7AshTcHI/htmlpresent?vi- 
deoid = 1364757661199 -> 
http://www.worldvideos.us/chrome.php -> 
https://chrome.google.com/webstore/detail/high- 
solution/jokhejlfefegeolonbckg gpfggipmmim 

Related, malicious, domain, reconnaissance: 

hxxp://worldvideos.us - 89.19.10.194 

nsl.facebookhizmetlerim.com 

ns2.facebookhizmetlerim.com 

Responding to 89.19.10.194 are also the following 
fraudulent domains part of the campaign's 



infrastructure: 


hxxp://e-sosyal.biz 
hxxp://facebookh izmetlerim.com 
hxxp://facebookmedya.biz 
hxxp://facebooook.biz 
hxxp://fbmedyah izmetleri.com 
hxxp://sansu rmedya.com 
hxxp://sosyal paket.com 
hxxp://world medya.net 
hxxp://youtubem.biz 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(208.73.211.70): 

hxxp://396p4rassd2.you lovesosoplne.net 
hxxp://5ql4.zapd.co 
hxxp://airmats.com 
hxxp://a mciksikis.com 

hxxp://a naranjadaverzochte.associate-physicians.org 
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hxxp://autorepai rmanual.org 
hxxp://blackoutbl inds.com 



hxxp://blog.jmarkafghans.com 


Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(208.73.211.70): MD5: 
584a779ae8cdeal3611ff45ebab517ae 

MD5: cea89679058fe5a5288cfaccla64e431 

MD5: 62eee7a0bed6e958e72c0edf9dal7196 

MD5: 160793c37a5aa29ac4c88ba88dld7cc2 

MD5: 46079bbcfcd792dfcdle906ela97c3a6 

Once, executed, a, sample, malware (MD5: 
584a779ae8cdeal3611ff45ebab517ae), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://zhutizhijia.com - 208.73.211.70 

Once, executed, a, sample, malware (MD5: 
cea89679058fe5a5288cfaccla64e431), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://aieov.com - 208.73.211.70 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(141.8.224.239): 

hxxp://happysocks.7li ve7.org 

hxxp://hiepdam.org 

hxxp://hyper-path.com 

hxxp://i nterfacelife.com 



hxxp ://i owa.fi ndanycycle.com 
hxxp://massachu setts, findanyboat.com 
hxxp://diptnyc.com 

Related, maliciuos, MD5s, known, to, have, phoned, 
back, to, the, same, C &C, server, IPs 
(141.8.224.239): MD5: 
ddf27e034e38d7d35b71b7dc5668ffce 

MD5:6ba6451a9cl85dld07323586736e770e 

MD5: 854ea0da9b4ad72aba6430ffa6ccl532 

MD5: d5585af92c512bec3009bl568c8d2f7d 

MD5: bf78b0fcfc8fla380225ceca294c47d8 

Once, executed, a, sample, malware 
(MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://srv.desk-top-app.info - 141.8.224.239 

Once, executed, a, sample, malware 
(MD5:6ba6451a9cl85dld07323586736e770e), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://premiumstorage.info - 141.8.224.239 

Once, executed, a, sample, malware (MD5: 
d5585af92c512bec3009bl568c8d2f7d), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://riddenstorm.net - 208.100.26.234 



hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://yardnews.net - 104.154.95.49 
hxxp://wentstate.net - 141.8.224.93 
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hxxp://musicnews.net - 176.74.176.187 
hxxp://spendstate.net 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(89.19.10.194): hxxp://liderbayim.com 

hxxp://blacksport.org 

hxxp://l iderbayim.com 

hxxp://2 sosyal-panelim.com 

hxxp://sosyal-panel im.com 

hxxp://darknessbay im.com 

hxxp://hebobayi.com 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Rogue MyWebFace Application 
Serving Adware Spotted in the Wild (2016-12-25 
07:20) In, a, cybercrime, ecosystem, dominated, by, 
malicious, software, releases, cybercriminals, continue, 
actively, populating, their, botnet's, infected, population, 
further, spreading, malicious, software, potentially, exposing, 
the, confidentiality, integrity, and, availability, of, the, 
affected, hosts, further, spreading, malicious, software, while, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, the, utilization, of, affiliate-based, type, of, 
monetizing, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, users, into, executing, 
a, malicious, software, largely, relying, on, basic, visual, 
social, engineering, enticing, users, into, executing, a, rogue, 











application, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, the, affected, host. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domain, reconnaissance: 

hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 
66.235.119.48 

hxxp://mywebface.mywebsearch.com - 74.113.233.64; 
74.113.233.180 

Sample, detection, rate, for, a, malicious, executable: 

MD5: b32acfece8089e52fa2288cb421fa9de 
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Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(74.113.233.48; 74.113.237.48; 66.235.119.48): 

hxxp://my info.mywebsearch.com 

hxxp://d Lmywebsearch.com 

hxxp://tbed its. my websearch.com 

hxxp://celebsau ce.dl.mywebsearch.com 

hxxp://bfc. my websearch.com 

hxxp://bar. my websearch.com 



hxxp ://i nt.search.mywebsearch.com 

hxxp://i nboxace.dl.mywebsearch.com 

hxxp ://i nternetspeedtracker.dl.mywebsearch.com 

hxxp ://my webface.dl.mywebsearch.com 

hxxp ://easy pdfcombine.dl.mywebsearch.com 

hxxp ://on I inemapfinder.dl.mywebsearch.com 

hxxp ://el iteunzip.dl.mywebsearch.com 

hxxp ://mytransitg uide.dl.mywebsearch.com 

hxxp ://packagetracer.d Lmywebsearch.com 

hxxp ://my way. my websearch.com 

hxxp ://hel pi nt.mywebsearch.com 

hxxp ://zwi nky.dl.mywebsearch.com 

hxxp ://weatherbli nk.dl.mywebsearch.com 

hxxp ://videoscavenger.d Lmywebsearch.com 

hxxp ://videod own loadconverter.dl.mywebsearch.com 

hxxp ://transl ationbuddy.dl.mywebsearch.com 

hxxp ://total recipesearch.dl.mywebsearch.com 

hxxp ://televisi onfanatic.dl.mywebsearch.com 

hxxp ://retrogamer.d Lmywebsearch.com 

hxxp ://myscrapnook. dl.mywebsearch.com 



hxxp://myfu ncards.dl.mywebsearch.com 
hxxp://g ami ngwonderland.dl.mywebsearch.com 
hxxp://d ictionaryboss.dl.mywebsearch.com 
hxxp://astrology.dl. my websearch.com 
hxxp://utmtrk2. my websearch.com 
hxxp://utm2. my websearch.com 
hxxp://utm.trk.mywebsearch.com 
hxxp://utm. my websearch.com 
hxxp://ak.ssl.toolbar.mywebsearch.com 
hxxp://wwwl 2 2. my websearch.com 
hxxp://cou ponalert.dl.mywebsearch.com 
hxxp://help. my websearch.com 
hxxp://srchsugg. my websearch.com 
hxxp://utm.gr.mywebsearch.com 
hxxp://utmtrk.gr.mywebsearch.com 
hxxp://dp. my websearch.com 
hxxp://down load, my websearch.com 
hxxp://www64. my websearch.com 
hxxp://fi I mfanatic.mywebsearch.com 
hxxp://my webface.mywebsearch.com 



hxxp://fromdoctopdf.d Lmywebsearch.com 
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hxxp://wwwl 73. my websearch.com 
hxxp://wwwl 53. my websearch.com 
hxxp://wwwl 70. my websearch.com 
hxxp://wwwl 76. my websearch.com 
hxxp://wwwl 55. my websearch.com 
hxxp://wwwl86. my websearch.com 
hxxp://wwwl 56a. my websearch.com 
hxxp://wwwl87. my websearch.com 
hxxp://wwwl98. my websearch.com 
hxxp://wwwl 54. my websearch.com 
hxxp://cfg. my websearch.com 
hxxp://mapsg alaxy.dl.mywebsearch.com 
hxxp://ed its. my websearch.com 
hxxp://www. my websearch.com 
hxxp://enable. my websearch.com 
hxxp://l ive.mywebsearch.com 
hxxp://config. my websearch.com 
hxxp://a nx.mywebsearch.com 



hxxp://bstat. my websearch.com 
hxxp://u pdates.mywebsearch.com 
hxxp://home. my websearch.com 
hxxp://sea rch.mywebsearch.com 
hxxp://stats. my websearch.com 
hxxp://a kd.search.mywebsearch.com 
hxxp://a k2.home.mywebsearch.com 
hxxp://ak.search, my websearch.com 
hxxp://ak.tool bar. my websearch.com 
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Related, malicious, MD5s, known, to, have, 
participated, in, the, campaign: MD5: 
83cdb402fcd68947f7519eaad515fa5a 

MD5: 6b31cc25e68d5d008e319c4alc8c4098 

MD5: f2392d 18a266f554743b495b4e71b2be 

MD5:9bcaeb5b4bdd6b9e22852a98ca630914 

MD5: 4fd260el7ca40a31a7baace9aflb7db9 

Once, executed, a, sample, malware, (MD5: 
83cdb402fcd68947f7519eaad515fa5a), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp ://l 78.150.139.157/search, htm 









hxxp://sev2012.com/page _click.php - 141.8.224.239; 
54.72.9.51; 91.220.131.33; 91.236.116.20 

hxxp ://62.12 2.107.119/i nstall.htm 

Known, to, have, responded, to, the, same, 
malicious, C &C, server, IPs (178.150.139.157), are, 
also, the, following, malicious, domains: 

hxxp://cejzesu.com 

hxxp ://hqy ibul.wuwykym.net 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 

IPs: MD5: C92a9961e6096eb7af3a34e9e48114fl 

MD5: 25789eec9e0d4b5cdfl84bf41460808e 

MD5: Ia72e482e6ec352ae4c9206b92776f01 

116 

MD5: e22a0fd64e5b6193be655cc29ed 19755 

MD5: fe8a027fd45ec9621b34a20bc907fb2c 

Once, executed, a, sample, malware (MD5: 
C92a9961e6096eb7af3a34e9e48114fl), phones, 
back, to, the, following, C &C, server, IPs: 

http://178.150.244.54/mod2/mentalc.exe 

http://178.150.139.157/modl/mentalc.exe 

Once, executed, a, sample, malware (MD5: 
25789eec9e0d4b5cdfl84bf41460808e), phones, back, 
to, the, following, C &C, server, IPs: 



http://95.180.66.40/mod2/b0ber01.exe 

http://91.245.79.46/modl/b0ber01.exe 

http://178.150.139.157/modl/b0ber01.exe 

Once, executed, a, sample, malware (MD5: 
Ia72e482e6ec352ae4c9206b92776f01), phones, 
back, to, the, following, C &C, server, IPs: 

http://77.123.73.34/keybex4.exe 

http://178.150.139.157/keybex4.exe 

Once, executed, a, sample, malware (MD5: 
e22a0fd64e5b6193be655cc29edl9755), phones, 
back, to, the, following, C &C, server, IPs: 

http://176.194.18.198/mod2/ozersid.exe 

http://176.110.28.238/modl/ozersid.exe 

http://46.73.67.61/mod2/ozersid.exe 

http://178.150.209.116/mod2/ozersid.exe 

http://178.150.139.157/mod2/ozersid.exe 

http://193.32.14.186/modl/ozersid.exe 

http://46.211.9.37/modl/ozersid.exe 

Once, executed, a, sample, malware (MD5: 
fe8a027fd45ec9621b34a20bc907fb2c), phones, back, 
to, the, following, C &C, server, IPs: 

http://178.150.139.157/welcome.htm 

http://77.122.28.206/default.htm 



http://77.122.28.206/online.htm 

http://mydear.name/page umax.php 

Once, executed, a, sample, malware, (MD5: 
6b31cc25e68d5d008e319c4alc8c4098), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://cytpaxiz.us/rasta01.exe 

hxxp://60.36.47.71/file.htm 

hxxp://219.204.4.3/search, htm 

Once, executed, a, sample, malware, (MD5: 
f2392dl8a266f554743b495b4e71b2be), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://46.121.221.173/start.htm 

hxxp://bu rhyyal.epfusgy.com/calc.exe 

hxxp ://178.150.138.2/install, htm 

Once, executed, a, sample, malware, (MD5: 
9bcaeb5b4bdd6b9e22852a98ca630914), phones, 
back, to, the, following, C &C, server, IPs: 
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hxxp ://l 59.2 24.191.47/install, htm 

hxxp 7/109.87.184.7/setup, htm 

Once, executed, a, sample, malware, (MD5: 
4fd260el7ca40a31a7baace9aflb7db9), phones, back, 
to, the, following, C &C, server, IPs: 



hxxp ://l 78.158.2 37.37/welcome, htm 
hxxp ://l 78.165.13.17/home, htm 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(74.113.233.48): 

MD5: a3470a214ec34f7a0b9330e44af80714 

MD5: 31593f94936e63152d35ca682fb9ef0b 

MD5: eb003b7665b34f6ed3a7944e4254ad2d 

MD5: edlc465beca9596a9031580dl093cbl3 

MD5: cace61ddd8f8e30cflf52f9ad6c66578 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://home.mywebsearch.com - 74.113.233.48 

hxxp://akd.search.mywebsearch.com - 5.178.43.17 

hxxp://ak.imgfarm.com - 90.84.60.81 

hxxp://anx.mywebsearch.com - 74.113.233.187 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, 
IPs: MD5: Ilddcf7bd806c9ef24cc84a440629e68 

MD5:8cle63b34c678b48c63ba369239d5718 

MD5: 10b4c54646567dcee605f5c36bfa8fl7 

MD5: 70dbce98fld62c03317797aldd3dal51 


MD5: ee00f47a51e91alf70a5c7a0086b7220 



Once, executed, a, sample, malware (MD5: 
Ilddcf7bd806c9ef24cc84a440629e68), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

http://78.62.197.14/online.htm 

http://89.46.92.232/welcome.htm 

http://89.46.92.232/login.htm 

Once, executed, a, sample, malware (MD5: 
8cle63b34c678b48c63ba369239d5718), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

http://109.251.217.207/home.htm 

http://109.251.217.207/login.htm 

Once, executed, a, sample, malware, (MD5: 
10b4c54646567dcee605f5c36bfa8fl7), phones, back, 
to, the, following, malicious, C &C, server, IPs: 

http://91.221.219.12/setup.htm 

Once, executed, a, sample, malware, (MD5: 
70dbce98fld62c03317797aldd3da 151), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

http://89.229.4.22/i nstall.htm 

http://89.229.4.22/default.htm 

Once, executed, a, sample, malware (MD5: 
ee00f47a51e91alf70a5c7a0086b7220), phones, 
back, to, the, 118 

following, malicious, C &C, server, IPs: 

http://89.229.4.22/i nstall.htm 



http://89.229.4.22/default.htm 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Koobface Gang Utilizes, Google 
Groups, Serves, Scareware and Malicious Software 
(2016-12-25 19:58) 

In, a, cybercrime, ecosystem, dominated, by, malicious, 
software, releases, cybercriminals, continue, actively, 
populating, their, botnet's, infected, populating, successfully, 
affecting, hundreds, of, thousands, of, users, globally, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, spreading, malicious, software, 
further, earning, fraudulent, revenue, in, the, process, of, 
monetizing, access, to, malware-infected, hosts, largely, 
relying, on, the, utilization, of, an, affiliate-network, based, 
type, of, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, affecting, Google Groups, 
potentially, exposing, users, to, a, multi-tude, of, malicious, 
software, including, fake, security, software, also, known, as, 
scareware, further, enticing, users, into, interacting, with, 
the, bogus, links, potentially, exposing, their, devices, to, a, 
multi-tude, of, malicious, software. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it, and, establish, 
a, direct, connection, between, the, campaign, and, the, 
Koobface, gang. 



Related, malicious, rogue, content, URLs, known, to, 
have, participated, in, the, campaign: 

- anisimivachevl7 -1125 messages 

- ilariongrishelev24 - 1099 messages 

- yuvenaliyarzhannikovl5 -1108 messages 

- burniemetheny52 - 1035 messages 

- mengrug - 1090 messages 

- silabobrov27 -1116 messages 

Related, malicious, URIs, known, to, have, 
participated, in, the, campaign: hxxp://wut.im/343535 

hxxp://tpal.us/wedding2 

hxxp://shrtb.us/New year video 

hxxp ://sn ipurl.com/tx2 r6 

hxxp://www. tcp3.com/helga-4315 

hxxp://budurl.com/egph 

h xx p://fl ipto.com/jokes/ 

hxxp://rejoicetv.info/newyear 

hxxp://fauz.me/?livetv 

hxxp ://go2.vg/funny kids 

hxxp://usav.us/anecdotes 

hxxp ://vai me.org/joke 



hxxp ://thefl ooracle.com/mistakes 
hxxp://dashu rl.com/video-jokes 
hxxp ://www.shortme. info/smiley kids/ 
hxxp://startu rl.com/clip32112 
hxxp ://startu rl.com/rebeca 
hxxp://startu rl.com/video2231 
hxxp ://startu rl.com/funcl ip 
hxxp ://startu rl.com/sexchat 
hxxp ://sn i pu rl .com/tx2 r6 
hxxp ://www.41z.com/animals 
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hxxp ://www. rehttp.com/?smi ley kids 
hxxp ://startu rl.com/adamaura 
hxxp ://myti nyurls.com/wfj 
hxxp://budurl.com/egph 

Sample, detection, rate, for, a, malicious, executable: 

MD5: Ie0d06095a32645c3f57flb4dcbcfe5c 

Sample, malicious, URL, involved, in, the, campaign: 

hxxp://newsekuritylist.com/index.php7affid = 92600 - 
213.163.89.56 - Bobby.J.Hyatt@gmail.com Parked there 
are also: 



hxxp://networkstabilityinc .com - Email: 

juliacanderson@pookmail.com; 

marcusmhuffaker@mailinator.com; 

justinpnelson@dodgit.com 

hxxp://indiansoftwareworld .com - Email: 
thelmamhandley@trashymail.com; 
leanngscofield@gmail.com; ernesty- 
gresham@trashymail.com 

hxxp://antyvirusdevice 

.com 


Email: 

latonyawmiller@pookmail.com; 

royawiley@pookmail.com; 

gracegoshea@pookmail.com; latonyawmiller@pookmail.com 

hxxp://digitalprotectionservice .com - Email: 

clarencepfetter@trashymail.com; 

jamesdrobinson@pookmail.com; 

jamesdrobinson@pookmail.com; clarencepfetter@trashymail 
.com 

hxxp://bestantyvirusservice 


.com 



Email: 


kathrynrsmith@gmail.com; 

richardbhughey@gmail.com; 

joshuamwest@trashymail.com; kathrynrsmith@gmail.com 

hxxp://antivirussoftrock .com - Email: 
michaelaturner@trashymail.com; 
gracemparker@trashymail.com; cliffordsfer- 
nandez@pookmail.com; michaelaturner@trashymail.com 

hxxp://antywiramericasell .com - Email: 
Shannon.J.Ferguson@gmail.com 
hxxp://antydetectivewaemergencyroom .com - Email: 

brettdpetro@gmail.com; valeriejweaver@dodgit.com; 

williekharris@mailinator.com; brettdpetro@gmail.com 

hxxp://freeinternetvacation 

.com 


Email: 

edwardmyoung@trashymail.com; 

aileenasaylor@gmail.com; 

williamjoverby@trashymail.com; 

edwardmyoung@trashymail.com 


hxxp ://aolbi 11 i ng hq .com - Email: 



haroldamccarthy@trashy mail, com; 

teodoromkeller@trashymail.com; joan-swhite@dodgit.com; 
haroldamccarthy@trashymail.com 

hxxp://scanserviceprovider .com - Email: 
rogerdmurphy@gmail.com; 
charlescvalentino@mailinator.com; eliarmc- 
donald@trashymail.com; rogerdmurphy@gmail.com 

hxxp://securitytoolsquotes .com - Email: 
thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; 
jamesmcum-mings@trashymail.com; 
thurmanepidgeon@dodgit.com 

hxxp://electionprogress .com - Email: 

clarenceafloyd@pookmail.com; junerwurth@pookmail.com; 
edjbax- 

ter@gmail.com; clarenceafloyd@pookmail.com 

hxxp://myantywiruslist .com - Email: 
Nathan.S.Dennis@gmail.com 

hxxp://antyspywarelistnow .com - Email: 
James.M.Miller@gmail.com hxxp://securitylabtoday .com - 
Email: Marc.N.Torres@gmail.com 

hxxp://yournecessary 

.com 


Email: 

debrahbettis@gmail.com; 



myracbryant@dodgit.com; 

marycwilliams@dodgit.com; debrahbettis@gmail.com 

hxxp://securityutiIitysite .net - Email: 
michellemwelch@mailinator.com; 
charlesdfrazier@trashymail.com; ros- 
aliejhumphrey@pookmail.com; 
michellemwelch@mailinator.com 

hxxp://securitytoolsshop 

.net 

Email: 

sarajgunter@gmail.com; 

kerstinrbray@gmail.com; 

keithrdeje- 

sus@mailinator.com; sarajgunter@gmail.com 

hxxp://securitytooledit 

.net 

Email: 

byronlross@pookmail.com; 

jamesslewis@mailinator.com; 

leigh- 



schancey@trashymail.com; byronlross@pookmail.com 


hxxp://portsecurityutiIity .net - Email: 
marquettacpettit@trashymail.com; 
melindakbolin@pookmail.com; rhondae- 
hipp@mailinator.com; marquettacpettit@trashymail.com 
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Sample, detection, rate, for, a, malicious, executable: 

MD5: 4a3e8b6b7f42df0f26e22faafaa0327f 

MD5: 64alllacdc77762f261b9f4202e98d29 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp ://newseku ritylist.com/in.php?affid = 92 600 

hxxp ://newseku ritylist.com/in.php7affid = 92 600 

Sample, URL, redirection, chain: 

hxxp://rejoicetv.info/newyear 

- hxxp://91.207.4.19/tds/go.php?sid = 3 

- hxxp://liveeditionpc.net?uid = 297 &pid = 3 

&ttl = l 184562la62 - 95.169.187.216 - korn989.net; 
liveeditionpc.net; createpc-pcscan-korn.net 

- hxxp://wwwl.hotcleanofyour-pc.net/p= = = - 
98.142.243.174 - live-guard-forpc.net is also parked 
there: Sample, detection, rate, for, a, malicious, 
executable: 

MD5:4912961c36306dl56e4e2b335c51151b 



Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp ://u pdate2. pci iveguard.com/index.php?controller= hash 

- 124.217.251.99 

hxxp://u pdate2.pcliveguard.com/index.php? 
control ler= microinstaller 

&abbr=PCLG 

&setupType=xp 

&ttl = 210475833d3 &pid = 

hxxp://u pdate2.pcliveguard.com/index.php? 
control ler= microinstaller 

&abbr=PCLG 

&setupType=xp 

&ttl = 210475833d3 &pid = 

hxxp ://secu rityearth.cn/Reports/MicroinstallServiceReport.ph 
p - 210.56.53.125 

Sample, URL, redirection, chain: 

hxxp ://g arlandvenit.150m.com 

- hxxp://online-style2.com 

- hxxp://scanner-malwarel5.com/scn3/?engine= 

- hxxp://scanner-malwarel5.com/download.php?id = 328s3 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: 



hxxp://ecl ipserisa.150m.com 

hxxp://adamau ra.150m.com 

hxxp://h ugodinah.150m.com 

hxxp://roycesylvia.l50m.com 

hxxp://l indaagora.150m.com 

hxxp://sharoly npam.150m.com 

hxxp://l etarebeca.150m.com 

hxxp://l etarebeca.150m.com 

Sample, URL, redirection, chain: 

hxxp ://egoldeng love.com/lmages/bin/movie/ 

- hxxp://egoldenglove.com/lmages/bin/movie/Flash JJpdate 
1260873156.exe Once, executed, a, sample, malware, 
phones, back, to, the, following, malicious, C &C, 
server, IPs: hxxp://2-weather.com/?pid = 328s03 
&sid = 3593b2 &d = 3 &name=Loading %20video - 
66.197.160.104 -mail@tatrum-verde.com 
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hxxp://scanner-spya8.com/scn3/?engine= - 
info@gainweight.com - 

Sample, detection, rate, for, a, malicious, executable: 

MD5: bfaba92c3c0eaec61679f03ff0eb0911 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 



hxxp://91.212.2 2 6.185/down load/win logo, bmp 
(windowsaltserver.com) Related, malicious, domains, 
known, to, have, participated, in, the, campaign: 

hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum- 
verde.com hxxp://2-weather.com - 193.104.22.202 - - Email: 
mail@tatrum-verde.com - currently embedded on Koobface- 
infected hosts pushing scareware 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://online-style2.com 
- 66.197.160.104 - Email: mail@tatrum-verde.com 
hxxp://scanner-malwarel5.com - Email: info@natural- 
health.org 

Related, malicious, IPs, known, to, have, 
participated, in, the, campaign: hxxp://68.168.212.142 

hxxp ://91.212.226.97 

hxxp ://6 6.197.160.105 

Parked on 68.168.212.142: 

hxxp://antispywareguide20 .com - Email: 
contacts@vertigo.us 

hxxp://antispywareguide22 .com - Email: 
contacts@vertigo.us 

hxxp://antispywareguide23 .com - Email: 
contacts@vertigo.us 

hxxp://antispywareguide25 .com - Email: 
contacts@vertigo.us 

hxxp://antispywareguide27 .com - Email: 
contacts@vertigo.us 



hxxp://antispywaretoolslO .com - Email: contacts@vertigo.us 

hxxp://antispywaretoolsll .com - Email: contacts@vertigo.us 

hxxp://antispywaretoolsl2 .com - Email: contacts@vertigo.us 

hxxp://antispywaretoolsl7 .com - Email: contacts@vertigo.us 

hxxp://antispywaretoolsl8 .com - Email: contacts@vertigo.us 

hxxp://best-scan-911 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-921 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-931 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-951 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-961 .com - Email: 
TheodoreWTurner@live.com 

hxxp://birthday-gifts2 .com - Email: 
TheodoreWTurner@live.com 

hxxp://christmasdecoration2 .com - Email: 
contact@trythreewish.us hxxp://computerscanmO .com - 
Email: JamesNTurner@yahoo.com 

hxxp://computerscanm2 .com - Email: 
JamesNTurner@yahoo.com 

hxxp://computerscanm4 .com - Email: 
JamesNTurner@yahoo.com 




hxxp://computerscanm6 .com - Email: 

JamesNTu rner@yahoo.com 

hxxp://computerscanm8 .com - Email: 
JamesNTurner@yahoo.com 

hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scanl21 .com - Email: TheodoreWTurner@live.com 
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hxxp://microscannerl .com - Email: info@enigmazero.com 
hxxp://micro-scannerl .com - Email: info@enigmazero.com 

hxxp://microscanner2 .com - Email: info@enigmazero.com 

hxxp://micro-scanner2 .com - Email: info@enigmazero.com 

hxxp://microscanner3 .com - Email: info@enigmazero.com 

hxxp://micro-scanner3 .com - Email: info@enigmazero.com 

hxxp://microscanner4 .com - Email: info@enigmazero.com 

hxxp://micro-scanner4 .com - Email: info@enigmazero.com 

hxxp://microscanner5 .com - Email: info@enigmazero.com 

hxxp://micro-scanner5 .com - Email: info@enigmazero.com 

hxxp://micro-scanneral .com - Email: info@enigmazero.com 



hxxp://micro-scannerbl .com - Email: info@enigmazero.com 

hxxp://micro-scannercl .com - Email: info@enigmazero.com 

hxxp://micro-scannerdl .com - Email: info@enigmazero.com 

hxxp://pc-antispyo3 .com 

hxxp://pc-antispyo5 .com 

hxxp://pc-antispyo6 .com 

hxxp://pc-antispyo9 .com 

hxxp://pc-securityv8 .com - Email: info@billBlog.com 

hxxp://protect-pcal .com 

hxxp://protect-pcrl .com 

hxxp://protect-pctl .com 

hxxp://protect-pcul .com 

hxxp://quick-antispy91 .com - Email: 
williams.trio@yahoo.com 

hxxp://quick-antispy92 .com - Email: 
williams.trio@yahoo.com 

hxxp://quick-antispy93 .com - Email: 
williams.trio@yahoo.com 

hxxp://quick-antispy95 .com - Email: 
williams.trio@yahoo.com 

hxxp://quick-antispy99 .com - Email: 
williams.trio@yahoo.com 



hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com 

hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com 

hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com 

hxxp://quick-scanner77 .com - Email: 
williams.trio@yahoo.com 

hxxp://quick-scanner78 .com - Email: 
williams.trio@yahoo.com 

hxxp://run-scanner023 .com - Email: 
TheodoreWTurner@live.com 

hxxp://run-scanner056 .com - Email: 
TheodoreWTurner@live.com 

hxxp://run-scanner067 .com - Email: 
TheodoreWTurner@live.com 

hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com 

hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com 

hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com 

hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com 

hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com 

hxxp://safe-your-pc002 .com - Email: 
JamesNTurner@yahoo.com 

hxxp://safe-your-pc004.com - Email: 
JamesNTurner@yahoo.com 



hxxp://safe-your-pc009 .com - Email: 

JamesNTu rner@yahoo.com 

hxxp://scan-and-secure01 .com 

hxxp://scan-and-secure04 .com 

hxxp://scan-and-secure06 .com 

hxxp://scan-and-secure07 .com 
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hxxp://scan-and-secure09 .com 
hxxp://scan-computerab .com 
hxxp://scan-computereO .com 

hxxp://scanner-malware01 .com - Email: info@natural 
health.org 

hxxp://scanner-malware02 .com - Email: info@natural 
health.org 

hxxp://scanner-malware04 .com - Email: info@natural 
health.org 

hxxp://scanner-malware05 .com - Email: info@natural 
health.org 

hxxp://scanner-malware06 .com - Email: info@natural 
health.org 

hxxp://scanner-malwarell .com - Email: info@natural 
health.org 



hxxp://scanner-malwarel2 .com - Email: i nfo@ natural - 
health.org 

hxxp://scanner-malwarel3 .com - Email: i nfo@ natural- 
health.org 

hxxp://scanner-malwarel4 .com - Email: i nfo@ natural- 
health.org 

hxxp://scanner-malwarel5 .com - Email: i nfo@ natural- 
health.org 

hxxp://securitysoftwarel .com 
hxxp://securitysoftware3 .com 
hxxp://securitysoftware5 .com 
hxxp://securitysoftwaree .com 
hxxp://securitysoftwaree7 .com 
hxxp://security-softwareol .com 
hxxp://security-softwareo5 .com 
hxxp://security-softwareo7 .com 

hxxp://unique-gifts2 .com - Email: contact@trythreewish.us 
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us 
hxxp://xmas-song .com - Email: contact@trythreewish.us 

Parked on 91.212.226.97; 66.197.160.105: 

hxxp://best-scan-911 .com - Email: 
TheodoreWTurner@live.com 



hxxp://best-scan-921 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-931 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-951 .com - Email: 
TheodoreWTurner@live.com 

hxxp://best-scan-961 .com - Email: 
TheodoreWTurner@live.com 

hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scanl21 .com - Email: TheodoreWTurner@live.com 
hxxp://microscannerl .com - Email: info@enigmazero.com 
hxxp://micro-scannerl .com - Email: info@enigmazero.com 
hxxp://microscanner2 .com - Email: info@enigmazero.com 
hxxp://micro-scanner2 .com - Email: info@enigmazero.com 
hxxp://microscanner3 .com - Email: info@enigmazero.com 
hxxp://micro-scanner3 .com - Email: info@enigmazero.com 
hxxp://microscanner4 .com - Email: info@enigmazero.com 
hxxp://micro-scanner4 .com - Email: info@enigmazero.com 
hxxp://microscanner5 .com - Email: info@enigmazero.com 



hxxp://micro-scanner5 .com - Email: info@enigmazero.com 
hxxp://micro-scanneral .com - Email: info@enigmazero.com 
hxxp://micro-scannerbl .com - Email: info@enigmazero.com 
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hxxp://micro-scannercl .com - Email: info@enigmazero.com 
hxxp://micro-scannerdl .com - Email: info@enigmazero.com 

hxxp://run-scanner023 .com - Email: 
TheodoreWTurner@live.com 

hxxp://run-scanner056 .com - Email: 
TheodoreWTurner@live.com 

hxxp://run-scanner067 .com - Email: 
TheodoreWTurner@live.com 

hxxp://scanner-malware01 .com - Email: info@natural- 
health.org 

hxxp://scanner-malware02 .com - Email: info@natural- 
health.org 

hxxp://scanner-malware04 .com - Email: info@natural- 
health.org 

hxxp://scanner-malware05 .com - Email: info@natural- 
health.org 

hxxp://scanner-malware06 .com - Email: info@natural- 
health.org 

hxxp://scanner-malwarell .com - Email: info@natural- 
health.org 



hxxp://scanner-malwarel2 .com - Email: i nfo@ natural - 
health.org 

hxxp://scanner-malwarel3 .com - Email: i nfo@ natural- 
health.org 

hxxp://scanner-malwarel4 .com - Email: i nfo@ natural- 
health.org 

hxxp://scanner-malwarel5 .com - Email: i nfo@ natural- 
health.org 

Parked on 66.197.160.104: 

hxxp://2activities.com - Email: mail@tatrum-verde.com 
hxxp://2-scenes.com - Email: mail@tatrum-verde.com 
hxxp://2-weather.com - Email: mail@tatrum-verde.com 
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com 
hxxp://online-news2.com - Email: mail@tatrum-verde.com 
hxxp://online-style2 .com - Email: mail@tatrum-verde.com 
hxxp://online-tv2.com - Email: mail@tatrum-verde.com 
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com 
hxxp://winterart2 .com - Email: info@territoryplace.us 
hxxp://winterchristmas2 .com - Email: info@territoryplace.us 
hxxp://wintercrafts2 .com - Email: info@territoryplace.us 
hxxp://winterkids2 .com - Email: info@territoryplace.us 
hxxp://winterphotos2 .com - Email: info@territoryplace.us 



hxxp://winterpicture2 .com - Email: info@territoryplace.us 

hxxp://winterscene2 .com - Email: info@territoryplace.us 

hxxp://winterwallpaper2 .com - Email: info@territoryplace.us 

What's particularly, interesting, about, this, particular, 
campaign, is, the, direct, connection, with, the, Koobface, 
gang, taking, into, consideration, the, fact, that, 
hxxp://redirector online-style2.com/?pid=312s03 
&sid=4dbl2f has, also, been, used, by, Koobface-infected 
hosts, and, most, importantly, the, fact, that, a, sampled, 
scareware, campaign from December 2009, were serving 
scareware parked on 193.104.22.200, where the Koobface 
scareware portfolio is parked, as, previously, profiled, and, 
analyzed. 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Hundreds of Malicious Web Sites 
Serve Client-Side Exploits, Lead to Rogue YouTube 
Video Players (2016-12-25 21:47) 

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, 
malicious, software, releases, cybercriminals, continue, 
actively, populating, a, botnet's, infected, population, 
further, spreading, malicious, software, potentially, 
compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, potentially, exposing, 
the, affected, user, to, a, multi-tude, of, malicious, software, 
further, earning, fraudulent, revenue, in, the, process, of, 
monetizing, the, access, to, the, malware-infected, hosts, 
largely, relying, on, the, use, of, affiliate-network, based, 
type, of, fraudulent, revenue, monetization, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, enticing, users, into, clicking, on, 
bogus, and, rogue, links, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, the, affected, 






















hosts, ultimately, attempting, to, socially, engineer, users, 
into, interacting, with, rogue, YouTube, Video, Players, 
ultimately, dropping, fake, security, software, also, known, as, 
scareware, on, the, affected, hosts, with, the, cybercriminals, 
behind, the, campaign, actively, earning, fraudulent, 
revenue, largely, relying, on, the, utilization, of, an, affiliate- 
network, based, type, of, monetization, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Sample, URL, redirection, chain: 

hxxp://acquaintive.in/x.html - 208.87.35.103 

- hxxp://xxxvideo-hlyl.cz.cc/video7/?afid = 24 - 63.223.117.10 

- hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: 
enquepuedo.senior@gmail.com 

- hxxp://binarymode.in/topic/exe.php?x=jjar 

- hxxp://binarymode.in/topic/?showtopic=ecard &bid = 151 
&e=post &done=image Related, malicious, MD5s, 
known, to, have, responded, to, the, same, C &C, 
server, IPs (208.87.35.103): MD5: 
al2c055f201841f4640084a70b34c0c4 

MD5: b4d435fl5d094289839eac6228088baf 

MD5: 2782220da587427b981f07dc3e3e0d96 

MD5: 1151cd39495c295975b8c85bd4b385e5 


MD5: 2539d5d836f058afbbf03cb24e41970c 



Once, executed, a, sample, malware (MD5: 
al2c055f201841f4640084a70b34c0c4), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://926garage.com - 185.28.193.192 

hxxp://quistsolutions.eu - 188.165.239.53 

hxxp://rehabilitacion-de-drogas.org - 188.240.1.110 

hxxp://bcbrownmusic.com - 69.89.21.66 

hxxp://andziOI.5v.pl - 46.41.150.7 

hxxp://alsaei.com - 192.186.194.133 

Once, executed, a, sample, malware (MD5: 
2782220da587427b981f07dc3e3e0d96), phones, 
back, to, the, following, C &C, server, IPs: 

hxxp://lafyeri.com 

hxxp://kulppasur.com - 209.222.14.3 
hxxp://toalladepapel.com.ar - 184.168.57.1 
hxxp://www.ecole-saint-simon.net - 208.87.35.103 
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Once, executed, a, sample, malware (MD5: 
2539d5d836f058afbbf03cb24e41970c), phones, back, 
to, the, following, C &C, server, IPs: 

hxxp://realquickmedia.com (208.87.35.103) 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 



(109.74.195.149): 

hxxp://trustidsoftware.com 

hxxp://tc28q8cxl2a5ljwa60skl87w6.cdxlcdxlcdxl.in 
hxxp://g olubu6ka.com 
hxxp://cdx2cdx2cdx2.in 
hxxp://red mewire.com 

hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in 
hxxp://es3iz6lb0pet3ix6la0p.cdx2cdx2cdx2.in 
hxxp://qsd79bd0j8f7c90e057a.cdxlcdxlcdxl.in 
hxxp://w8ncqpet2hx5kf9mbrla.cdxlcdxlcdxl.in 
hxxp://skyg aran4ik.com 

hxxp://5xj7wk9amqcpse2ug4ve.cdxlcdxlcdxl.in 
hxxp://read relay.com 

hxxp://bk5sbm7xgo6vk0e6b3xc.cdxlcdxlcdxl.in 
hxxp://d51flqam8wil5wpxmtjq.cdx2cdx2cdx2.in 
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in 
hxxp ://zon kj hgebawzvsq 09753.cdxlcdxlcdxl. in 
hxxp://n ightphantom.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(109.74.195.149): 



MD5: a6c06a59da36eelae96ffaff37dl2f28 


MD5: 2dlbb6ca54f4c093282ea30e2096af0f 

MD5: adf037ecbd4e7af573ddeb7794b61c40 

MD5: Ce7d4a493fc4b3c912703f084d0d61el 

MD5: c36941693eeef3fa54ca486044c6085a 

Once, executed, a, sample, malware 
(MD5:a6c06a59da36eelae96ffaff37dl2f28), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://replost.com - 109.74.195.149 

hxxp://zeplost.com - 109.74.195.149 

Once, executed, a, sample, malware 
(MD5:2dlbb6ca54f4c093282ea30e2096af0f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://qweplost.com - 109.74.195.149 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(96.126.106.156): 

hxxp://checkwebspeed.net 

hxxp://gercou rses.com 

hxxp://replost.com 

hxxp://boltoflexaria.in 

hxxp://levartnetcom.net 

hxxp://boltoflex.in 



hxxp://borderspot.net 
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hxxp://diathbsp.in 

hxxp://ganzagroup.in 

hxxp://httpsstarss.in 

hxxp://missi ngsync.net 

hxxp://qqplot.com 

hxxp://evelice.in 

hxxp://gotheapples.com 

hxxp://su rfacechicago.net 

hxxp://zeplost.com 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

0183a687365cc3eb97bb5c2710952f95 

MD5: fle3030a83fa2fl4f271612a4de914cb 

MD5: 97269450de58ef5fb8d449008e550bf0 

MD5: C83962659f6773b729aa222bd5b03f2f 

MD5: e0aa08d4d98c3430204clbb6f4c980el 

Once, executed, a, sample, malware 
(MD5:0183a687365cc3eb97bb5c2710952f95), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 



hxxp://replost.com - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:fle3030a83fa2fl4f271612a4de914cb), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://gercou rses.com/borders.php 

Once, executed, a, sample, malware 
(MD5:97269450de58ef5fb8d449008e550bf0), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://checkwebspeed.net - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:c83962659f6773b729aa222bd5b03f2f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://checkwebspeed.net - 96.126.106.156 

Once, executed, a, sample, malware 
(MD5:e0aa08d4d98c3430204clbb6f4c980el), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://replost.com - 96.126.106.156 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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Historical OSINT - Massive Black Hat SEO Campaign, 
Spotted in the Wild, Serves Scareware (2016-12-25 
22:43) 

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, 
malicious, software, releases, cybercriminals, continue, 



actively, populating, their, botnet's, infected, population, 
with, hundreds, of, newly, added, socially, engineered, users, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, spreading, malicious, software, 
potentially, exposing, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, to, a, multi-tude, of, 
malicious, software, further, earning, fraudulent, revenue, in, 
the, process, of, obtaining, access, to, a, malware-infected, 
hosts, largely, relying, on, the, utilization, of, an, affiliate- 
network, based, type, of, monetizing, scheme. 

We've, recently, intercepted, a, currently, circulating, 
malicious, spam, campaign, utilizing, blackhat, seo (search 
engine optmization), for, traffic, acquisition, tactics, 
techniques, and procedures, potentially, exposing, hundreds, 
of, thousands, of, socially, engineered, users, to, a, multi¬ 
tude, of, malicious, software, including, fake, security, 
software, also, known, as, scareware, with, the, 
cybercriminals, behind, the, campaign, successfully, earning, 
fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, traffic, largely, relying, on, the, utilization, of, an, 
affiliate-network, type, of, monetization, scheme. 

In, this, post, we'll, profile, the, campaign, provide, 
actionable, intelligence, on, the, infrastructure, behind, it, 
and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 

Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://blank fax 
_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 
216.172.154.34; 205.164.24.44; 205.164.24.45 



Related, malicious, domains, known, to, have, 
participated, in, the, campaign: hxxp://aizvfnnd.cc - 
Email: janice@whiteplainsrealty.com 

hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com 

hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com 

hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com 

hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com 

hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com 

hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com 

hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com 

hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com 

hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com 

hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com 

hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com 

hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com 

hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com 

hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com 

hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com 

hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com 

hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com 

hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com 



hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com 
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com 
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com 
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com 
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com 
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Sample, malicious, redirector, used, in, the, 
campaign: hxxp://bostofstenl.net 

Related, malicious, MD5s, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(216.172.154.34): MD5: 
ad04fd31e9868b073222b3fd2aac93f7 

MD5: 103ecb766e0deb06ccbcea0a8046b4cb 

MD5: eb0fab963cd37660956a7ab0c66715c2 

MD5: 00da0096bd91e89e4059c428259a6cbb 

MD5: 9b7f0e0ebfl656227de9f8f97dfd9141 

Once, executed, a, sample, malicious, executable, 
(MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://down.down988.cn - 65.19.157.228 

Once, executed, a, sample, malicious, executable, 
(MD5:00da0096bd91e89e4059c428259a6cbb) 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 



hxxp://cutalot.cn - 205.164.24.43 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs 
(205.164.24.44): 

hxxp://cycl ing20110829.usa.1204.net 

hxxp://pepsizone.cn 

hxxp://ysbr.cn 

hxxp://i nteractsession-697593.regions.com.usersetup.cn 

hxxp://ad. suoie.cn 

hxxp://ycgezkpu.cn 

Related, malicious, MD5s, known, to, have, phoned, 
back, to, the, same, malicious, C &C, server, IPs: MD5 

Cf7a53e66e397c29ea203e025c5d6465 

MD5: 089886483353f93a36dd69f0776beace 

MD5: 528ac8f94123aaa32058f0114b8elfd2 

MD5: 4e8405bb398509fl7242c0b9f614d6e4 

MD5: a364d4fe887e2e40bclec67ad6f9aa31 

Once, executed, a, sample, malware 
(MD5:cf7a53e66e397c29ea203e025c5d6465), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://blenderartists.org - 141.101.125.180 
hxxp://xibudific.cn - 50.117.122.92 



hxxp://freemon itoringservers.com 

hxxp://freemon itoringservers.com. ovh.net 

hxxp://hard wareindexx.com 

hxxp://hard wareindexx.com.ovh.net 

Once, executed, a, sample, malware 
(MD5:089886483353f93a36dd69f0776beace), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://freeonlinedatingtips.net - 204.197.252.70 
hxxp://xibudific.cn - 216.172.154.38 
hxxp://freemon itoringservers.com 
hxxp://freemon itoringservers.com.ovh.net 
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hxxp://sea rchfeedbook.com 

hxxp://sea rchfeedbook.com.ovh.net 

Once, executed, a, sample, malware 
(MD5:528ac8f94123aaa32058f0114b8elfd2), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://historykillerpro.com - 192.254.233.158 

hxxp://motherboardstest.com - 195.22.26.252 

hxxp://dol byaudiodevice.com 

hxxp://dol byaudiodevice.com.ovh.net 



hxxp://xibudific.cn - 50.117.116.204 

Once, executed, a, sample, malware 
(MD5:4e8405bb398509fl7242c0b9f614d6e4), 
phones, back, to, the, following, malicious, C &C, 
server, IPs: 

hxxp://pcskynet.cn 

hxxp://g amepknet.cn 

hxxp://pcsky net.cn.ovh.net 

hxxp://g amepknet.cn.ovh.net 

hxxp://yesl6800.cn 

hxxp://yesl6800.cn.ovh.net 

Once, executed, a, sample, malware 
(MD5:a364d4fe887e2e40bclec67ad6f9aa31), phones, 
back, to, the, following, malicious, C &C, server, IPs: 

hxxp://136136.com - 61.129.70.87 

hxxp://xibudific.cn - 50.117.122.92 

hxxp://hoth intspotonline.com 

hxxp://hoth intspotonline.com.ovh.net 

hxxp://hard wareindexx.com 

Related, malicious, domains, known, to, have, 
responded, to, the, same, malicious, C &C, server, IPs 
(205.164.24.45): 


hxxp://17mv.com 



hxxp://criding.com 

hxxp://criding.com 

hxxp://17mv.com 

hxxp://baudu.com 

hxxp://pwgo.cn 

hxxp://suqiwyk.cn 

hxxp://verringo.cn 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: MD5: 
9905ba7c00761a792ad8a361b4de71ea 

MD5: b83c68f7d09530181908d513eb30a002 

MD5: 78941c2c4b05f8af9a31a9f3d4c94b57 

MD5: 7alb6153a3f00c430b09flc7b9cf7a77 

MD5: 2776c972fa934fd080f5189be7c98a77 

Once, executed, a, sample, malware, phones, back, 
to, the, following, maliciuos, C &C, server, IPs: 

hxxp://down.down988.cn - 50.117.122.91 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 133 

hxxp://imagehut4.cn - 50.117.122.91 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://yingzi.org.cn - 50.117.116.205 



Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://qmmmm.com.cn - 50.117.122.94 

Once, executed, a, sample, malware, phones, back, 
to, the, following, malicious, C &C, server, IPs: 

hxxp://down.down988.cn - 50.117.122.94 

We'll, continue, monitoring, the, campaign, and, post, 
updates, as, soon, as, new, developments, take, place. 
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